Webhooks

Receive callbacks from upstream APIs (Stripe events, Twilio messages, Google Drive changes) without exposing your own infrastructure.

Subscription model

You create a webhook subscription from the portal. We give you:

A unique ingest URL: /ingestWebhook/{subscriptionId}
An HMAC signing secret.

Configure the upstream provider to POST to that URL with their default signing scheme (Stripe-Signature, X-Twilio-Signature, etc.). We verify their signature against the provider's spec, then re-sign with our HMAC and forward to your destination URL.

Verifying our signature on YOUR side

Header: X-Connect-Signature: t=timestamp,v1=hex-hmac-sha256

import crypto from 'node:crypto';

function verifyConnectSignature(
  rawBody: string,
  header: string,
  secret: string,
): boolean {
  const parts = Object.fromEntries(
    header.split(',').map((p) => p.split('=')),
  );
  const expected = crypto
    .createHmac('sha256', secret)
    .update(`${parts.t}.${rawBody}`)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected, 'hex'),
    Buffer.from(parts.v1, 'hex'),
  );
}

Reject mismatched timestamps

Replay attacks: discard webhooks where Math.abs(now - parts.t) > 300 (5 minute window).