Claimful docs

Webhook verification

Signature verification examples and replay-window handling.

Webhook verification

Every webhook includes the header X-Claimful-Signature: t=<unix>,v1=<hex>. Verify the HMAC-SHA256 signature over timestamp.body and reject timestamps older than 300 seconds.

Fixture parity

The JavaScript, PHP, and Python snippets are tested against a shared JSON fixture so their parsing and replay-window logic stay aligned.