import {
  parseWebhook,
  verifyWebhook,
  WEBHOOK_HEADERS,
} from "@interactions-hq/skyline/webhooks";

const raw = await readRawBody(req);
const ok = verifyWebhook(
  raw,
  {
    signature: req.header(WEBHOOK_HEADERS.signature),
    timestamp: req.header(WEBHOOK_HEADERS.timestamp),
  },
  process.env.SKYLINE_WEBHOOK_SECRET!
);

if (!ok) return res.status(401).end();

const event = parseWebhook(raw, headers, secret);
verifyWebhook checks:
  1. Signature matches the raw body + timestamp + secret
  2. Timestamp is within the allowed skew window (replay protection)
Never log or expose the signing secret. Store it in a secrets manager.