Security & validation

To ensure the security of your integration with Orq.ai, it is crucial to verify that all webhook requests originate from Orq.ai. This involves validating the webhook signatures to prevent unauthorized access and manipulation.

Webhook validation

For signature verification, it is essential to use the raw body of the request. If you are using a framework, ensure that it does not alter the raw body, as any manipulation will cause the verification process to fail.

Key Points

  • Raw Body Requirement: Ensure the raw body of the request is used for verification. Avoid any transformations by your framework that might alter it.
  • Signature Header: The signature is retrieved from the X-Orq-Signature header.
  • Exception Handling: Implement exception handling to manage invalid request bodies and signature verification failures.

import express, { Request, Response } from 'express';
import { WebhookEvent, WebhookEventType } from '@orq-ai/node';

const app = express();
const port = 3000;

const webhookSecret = 'orq_wk_...';

app.post('/webhooks', (req: Request, res: Response) => {
  const signature = req.headers['x-orq-signature'] as string;
  const rawBody = req.body;

  let event: WebhookEvent;

  try {
    const requestBody = JSON.parse(rawBody.toString());

    event = client.webhooks.constructEvent(
      requestBody,
      signature,
      webhookSecret
    );

    switch (event.type) {
      case WebhookEventType.DeploymentInvoked:
        console.log('Deployment invoked:', event.data);
    }

    res.json({ received: true });
  } catch (err) {
    console.error('Error validating webhook event:', e);
    return res.status(400).send(`Webhook Error: ${e.message}`);
  }
});

app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`);
});


from fastapi import Request, FastAPI

import orq_ai_sdk.exceptions

webhook_secret = 'orq_wk_...'

app = FastAPI()


@app.post("/webhooks")
async def get_body(request: Request):
    request_body = await request.json()
    signature = request.headers.get("X-Orq-Signature")
    event = None

    try:
        event = client.webhooks.construct_event(
            request_body,
            signature,
            webhook_secret
        )
    except ValueError as e:
        # Invalid request body
        print('Error parsing payload: {}'.format(str(e)))
    except orq_ai_sdk.exceptions.SignatureVerificationException as e:
        # Invalid signature
        print('Error verifying webhook signature: {}'.format(str(e)))

    if event['type'] == 'deployment.invoked':
        from orq_ai_sdk.api_resources.webhooks import WebhookDeploymentInvokedEvent
        
        invoked_event = WebhookDeploymentInvokedEvent.model_validate(event['data'])
        print('Deployment invoked: {}'.format(invoked_event))







By following these steps, you can effectively secure your webhooks and ensure that only authentic requests from Orq.ai are processed.