Webhooks

How to handle connection webhooks

To verify that the request is being made from us (and not an impersonator) you can add the following verification step in your request handlers.

1 // Example for Express (Javascript)
2 // This is the secret returned in the response when creating a webhook.
3 const secret = <UNIQUE*SECRET_FOR_ENDPOINT>
4 const payload = req.body;
5 const headers = req.headers;
6 const signedContent = ${headers['svix-id']}.${headers['svix-timestamp']}.${JSON.stringify(payload)};
7 const secretBytes = Buffer.from(secret?.split('*')[1], 'base64');
8 const signature = crypto.createHmac('sha256', secretBytes).update(signedContent).digest('base64');
9 const verified = (headers['svix-signature'] as any).split(' ')
10 .map((x: string) => x.split(',')[1])
11 .includes(signature);
12 // Use the verified boolean to continue processing the webhook if true.

We use our friends at Svix for sending you webhooks, this piece of code verifies that we are the senders.

An easier way is to use the svix library. Here’s an example of using svix lib in js

1 // Example for Express (Javascript) using Svix library.
2 
3 import { Webhook } from 'svix';
4 
5 const secret = <UNIQUE*SECRET_FOR_ENDPOINT>
6 const wh = new Webhook(secret);
7 const payload = req.body;
8 const headers = req.headers;
9 
10 try {
11     //@ts-ignore
12     const verified = wh.verify(JSON.stringify(payload), headers);
13     // This will throw if the webhook comes from an unverified source, returns the verified content on success.
14 
15 } catch (error) {
16     console.log('error verifying', error);
17 }

1	// Example for Express (Javascript)
2	// This is the secret returned in the response when creating a webhook.
3	const secret = <UNIQUE*SECRET_FOR_ENDPOINT>
4	const payload = req.body;
5	const headers = req.headers;
6	const signedContent = ${headers['svix-id']}.${headers['svix-timestamp']}.${JSON.stringify(payload)};
7	const secretBytes = Buffer.from(secret?.split('*')[1], 'base64');
8	const signature = crypto.createHmac('sha256', secretBytes).update(signedContent).digest('base64');
9	const verified = (headers['svix-signature'] as any).split(' ')
10	.map((x: string) => x.split(',')[1])
11	.includes(signature);
12	// Use the verified boolean to continue processing the webhook if true.

1	// Example for Express (Javascript) using Svix library.
2
3	import { Webhook } from 'svix';
4
5	const secret = <UNIQUE*SECRET_FOR_ENDPOINT>
6	const wh = new Webhook(secret);
7	const payload = req.body;
8	const headers = req.headers;
9
10	try {
11	//@ts-ignore
12	const verified = wh.verify(JSON.stringify(payload), headers);
13	// This will throw if the webhook comes from an unverified source, returns the verified content on success.
14
15	} catch (error) {
16	console.log('error verifying', error);
17	}