Webhooks

How to handle connection webhooks

To verify that the request is being made from us (and not an impersonator) you can add the following verification step in your request handlers.

1// Example for Express (Javascript)
2// This is the secret returned in the response when creating a webhook.
3const secret = <UNIQUE*SECRET_FOR_ENDPOINT>
4const payload = req.body;
5const headers = req.headers;
6const signedContent = ${headers['svix-id']}.${headers['svix-timestamp']}.${JSON.stringify(payload)};
7const secretBytes = Buffer.from(secret?.split('*')[1], 'base64');
8const signature = crypto.createHmac('sha256', secretBytes).update(signedContent).digest('base64');
9const verified = (headers['svix-signature'] as any).split(' ')
10.map((x: string) => x.split(',')[1])
11.includes(signature);
12// Use the verified boolean to continue processing the webhook if true.

We use our friends at Svix for sending you webhooks, this piece of code verifies that we are the senders.

An easier way is to use the svix library. Here’s an example of using svix lib in js

1// Example for Express (Javascript) using Svix library.
2
3import { Webhook } from 'svix';
4
5const secret = <UNIQUE*SECRET_FOR_ENDPOINT>
6const wh = new Webhook(secret);
7const payload = req.body;
8const headers = req.headers;
9
10try {
11 //@ts-ignore
12 const verified = wh.verify(JSON.stringify(payload), headers);
13 // This will throw if the webhook comes from an unverified source, returns the verified content on success.
14
15} catch (error) {
16 console.log('error verifying', error);
17}