[ [0x50] Tutorials ] Webhooks Setup

Webhooks Setup

> Build a production-grade webhook system with 22 event types, HMAC-SHA256 verification, and automatic retries.

Overview

[ [0x50] STATUS ]

22 webhook event types across 5 categories, HMAC-SHA256 signature verification, automatic retry with exponential backoff, delivery tracking and status monitoring, per-organization webhook management.

Features

[ [0x01] 22_EVENTS ]

STATUS: READY

DESC: Event types across 5 categories.

[ [0x02] HMAC_SHA256 ]

STATUS: READY

DESC: Signature verification for security.

[ [0x03] AUTO_RETRY ]

STATUS: READY

DESC: Exponential backoff on failures.

[ [0x04] TRACKING ]

STATUS: READY

DESC: Delivery status monitoring.

Usage

[ [0x12] TRIGGERING WEBHOOKS ]

Use src/lib/webhooks/server.ts to trigger events

1import { triggerWebhook } from "@/lib/webhooks/server";
2import { WEBHOOK EVENTS } from "@/lib/webhooks/events";
3
4// Trigger when a member is added
5await triggerWebhook(
6  organizationId,
7  WEBHOOK EVENTS.ORG_MEMBER_ADDED,
8  {
9    memberId: "mem_123",
10    userId: "user_456",
11    email: "newmember@example.com",
12    role: "MEMBER"
13  }
14);

[ [0x04] HMAC SIGNATURE VERIFICATION ]

Verify webhook signatures in your receiver

1import crypto from "crypto";
2
3export async function POST(request: Request) {
4  const payload = await request.text();
5  const signature = request.headers.get("X-Webhook-Signature");
6
7  const secret = process.env.WEBHOOK_SECRET;
8
9  const expectedSignature = crypto
10    .createHmac("sha256", secret)
11    .update(payload)
12    .digest("hex");
13
14  const isValid = crypto.timingSafeEquals(
15    Buffer.from(signature || ""),
16    Buffer.from(expectedSignature)
17  );
18
19  if (!isValid) {
20    return new Response("Invalid signature", { status: 401 });
21  }
22
23  const data = JSON.parse(payload);
24  return new Response("OK", { status: 200 });
25}

[ [0xF4] TESTING WEBHOOKS ]

Use ngrok to test webhooks locally

1$# Expose local server
2$ngrok http 3000
3
4$# Trigger a test webhook
5$curl -X POST http://localhost:3000/api/test-webhook \
6$  -H "Content-Type: application/json" \
7$  -d '{"event": "payment.succeeded"}'

Webhook Headers

[ [0x66] HEADERS ]

├─ X-Webhook-Signature - HMAC-SHA256 signature

├─ X-Webhook-Event - Event type

├─ X-Webhook-Delivery-ID - Unique delivery ID

├─ X-Webhook-Retry - Retry attempt number

└─ User-Agent - Fabrk-Webhooks/1.0

Retry Schedule

[ [0x2F] RETRY SCHEDULE ]

├─ Attempt 1: Immediate

├─ Retry 1: After 1 minute

├─ Retry 2: After 5 minutes

├─ Retry 3: After 15 minutes

├─ Retry 4: After 1 hour

└─ Retry 5: After 6 hours (max)

Troubleshooting

[ [0xC0] COMMON ERRORS ]

[ERROR]: Signature verification failed (401 Unauthorized)

Solution: Verify WEBHOOK_SECRET matches between sender and receiver

# Generate a shared secret
openssl rand -hex 32

# Add to both sender and receiver .env.local
WEBHOOK_SECRET="your-generated-secret"

# Sender uses it to sign, receiver uses it to verify

[ERROR]: Webhook endpoint not receiving events

Solution: Test webhook URL is accessible

# For local testing, expose with ngrok
ngrok http 3000

# Use the ngrok URL in webhook configuration
https://abc123.ngrok.io/api/webhooks/your-endpoint

# Verify endpoint responds
curl https://abc123.ngrok.io/api/webhooks/your-endpoint

[ERROR]: Duplicate events being processed

Solution: Implement idempotency check using delivery ID

// Store processed delivery IDs
const deliveryId = request.headers.get("X-Webhook-Delivery-ID");

// Check if already processed
const existing = await prisma.webhookDelivery.findUnique({
  where: { deliveryId }
});

if (existing) {
  return new Response("Already processed", { status: 200 });
}

[ERROR]: Webhook timing out (504 Gateway Timeout)

Solution: Process webhook asynchronously, respond immediately

// Don't process synchronously
export async function POST(request: Request) {
  // Validate signature first
  const isValid = verifySignature(request);
  if (!isValid) return new Response("Invalid", { status: 401 });

  // Queue for background processing
  await queueWebhookProcessing(request.body);

  // Respond immediately
  return new Response("OK", { status: 200 });
}

Next Steps

[ [0x00] API ROUTES ]

DESC: Build more API endpoints

[ [0x00] STRIPE PAYMENTS ]

DESC: Trigger payment webhooks

Usage

[ [0x12] TRIGGERING WEBHOOKS ]

Use src/lib/webhooks/server.ts to trigger events

1import { triggerWebhook } from "@/lib/webhooks/server";
2import { WEBHOOK EVENTS } from "@/lib/webhooks/events";
3
4// Trigger when a member is added
5await triggerWebhook(
6  organizationId,
7  WEBHOOK EVENTS.ORG_MEMBER_ADDED,
8  {
9    memberId: "mem_123",
10    userId: "user_456",
11    email: "newmember@example.com",
12    role: "MEMBER"
13  }
14);

[ [0x04] HMAC SIGNATURE VERIFICATION ]

Verify webhook signatures in your receiver

1import crypto from "crypto";
2
3export async function POST(request: Request) {
4  const payload = await request.text();
5  const signature = request.headers.get("X-Webhook-Signature");
6
7  const secret = process.env.WEBHOOK_SECRET;
8
9  const expectedSignature = crypto
10    .createHmac("sha256", secret)
11    .update(payload)
12    .digest("hex");
13
14  const isValid = crypto.timingSafeEquals(
15    Buffer.from(signature || ""),
16    Buffer.from(expectedSignature)
17  );
18
19  if (!isValid) {
20    return new Response("Invalid signature", { status: 401 });
21  }
22
23  const data = JSON.parse(payload);
24  return new Response("OK", { status: 200 });
25}

[ [0xF4] TESTING WEBHOOKS ]

Use ngrok to test webhooks locally

1$# Expose local server
2$ngrok http 3000
3
4$# Trigger a test webhook
5$curl -X POST http://localhost:3000/api/test-webhook \
6$  -H "Content-Type: application/json" \
7$  -d '{"event": "payment.succeeded"}'

Troubleshooting

[ [0xC0] COMMON ERRORS ]

[ERROR]: Signature verification failed (401 Unauthorized)

Solution: Verify WEBHOOK_SECRET matches between sender and receiver

# Generate a shared secret
openssl rand -hex 32

# Add to both sender and receiver .env.local
WEBHOOK_SECRET="your-generated-secret"

# Sender uses it to sign, receiver uses it to verify

[ERROR]: Webhook endpoint not receiving events

Solution: Test webhook URL is accessible

# For local testing, expose with ngrok
ngrok http 3000

# Use the ngrok URL in webhook configuration
https://abc123.ngrok.io/api/webhooks/your-endpoint

# Verify endpoint responds
curl https://abc123.ngrok.io/api/webhooks/your-endpoint

[ERROR]: Duplicate events being processed

Solution: Implement idempotency check using delivery ID

// Store processed delivery IDs
const deliveryId = request.headers.get("X-Webhook-Delivery-ID");

// Check if already processed
const existing = await prisma.webhookDelivery.findUnique({
  where: { deliveryId }
});

if (existing) {
  return new Response("Already processed", { status: 200 });
}

[ERROR]: Webhook timing out (504 Gateway Timeout)

Solution: Process webhook asynchronously, respond immediately

// Don't process synchronously
export async function POST(request: Request) {
  // Validate signature first
  const isValid = verifySignature(request);
  if (!isValid) return new Response("Invalid", { status: 401 });

  // Queue for background processing
  await queueWebhookProcessing(request.body);

  // Respond immediately
  return new Response("OK", { status: 200 });
}