Shape of the returned WebhookEvent.data payload.
The exact raw HTTP request body as a string.
The inbound request headers (case-insensitive lookup; array values take the first).
Your app's callback signing secret (whsec_…).
Optional ConstructEventOpts (e.g. { toleranceMs: 0 } to skip freshness).
The verified, JSON-parsed WebhookEvent.
Verify a callback's signature and return the parsed, typed event — the safe way to consume a webhook.
Recomputes the HMAC over the raw body and rejects the delivery on a bad signature or a timestamp outside the freshness window. Give it the RAW (unparsed) body string — parsing and re-serializing JSON changes bytes and breaks the signature.