ReadonlybodyThe raw request body B2 sent. MUST be the exact bytes received: any JSON re-serialisation or whitespace normalisation will break the HMAC.
Pass a Uint8Array whenever the surrounding framework gives you raw
bytes (e.g. req.rawBody in fastify, req.arrayBuffer() in Hono /
Workers). The string overload is provided for convenience when a
framework already decoded the body as UTF-8.
ReadonlysecretThe signing secret from EventNotificationRule.targetConfiguration.hmacSha256SigningSecret.
This is the exact string B2 returned in the b2_set_bucket_notification_rules
response. Do NOT base64-decode or otherwise transform it.
ReadonlysignatureValue of the B2_WEBHOOK_SIGNATURE_HEADER header.
Accepts a single string or an array (Node's req.headers returns
string | string[] | undefined). When an array is supplied, the first
non-empty element is used: B2 only ever sends one value, and rejecting
the multi-value case prevents callers from accidentally trusting a
spoofed second header injected by a buggy reverse proxy.
Options for verifyWebhookSignature and requireValidWebhook.