Patrick Bass Area: Integration / API (audit p13) · Surface: mobieusAPI / docs · Dimension: competitor-gap · Severity: minor
Stripe, Intercom, and Zendesk ship official client libraries and a documented webhook signature-verification snippet; Svix ships verify helpers in every major language. Mobieus invented its own HMAC header format (single + dual-signed during rotation) but gives integrators no reference implementation, so every customer must reverse-engineer the canonical-body + dual-secret logic from the OpenAPI prose to validate a webhook. That is the single most error-prone part of consuming webhooks and the most common support driver. Even a one-file PHP/JS/Python verify() snippet in the docs would close most of the gap.
Evidence
`find` for any sdk path or *-sdk-* outside vendor returns nothing; docs/api/ contains only openapi.yaml. Webhooks sign with a custom 'Mobieus-Signature' header (platform/bin/process-webhook-queue.php:127) using WebhookSigner::sign/signDual, but no published verification helper exists for receivers in any language.Suggested fix. Publish a docs/api/verifying-webhooks.md with verify() snippets in PHP/Node/Python that reproduce WebhookSigner's canonical string + dual-secret handling, and link it from the Redoc page; a thin official Node/PHP SDK wrapping the bearer-auth + cursor pagination would be the larger follow-on.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
