Skip to main content

Webhook validation

For signature verification, it is essential to use the raw body of the request. If you are using a framework, ensure that it does not alter the raw body, as any manipulation will cause the verification process to fail.

Key Points

  • Raw Body Requirement: Ensure the raw body of the request is used for verification. Avoid any transformations by your framework that might alter it.
  • Signature Header: The signature is retrieved from the X-Orq-Signature header.
  • Exception Handling: Implement exception handling to manage invalid request bodies and signature verification failures.
import express, { Request, Response } from 'express';
import { WebhookEvent, WebhookEventType } from '@orq-ai/node';

const app = express();
const port = 3000;

const webhookSecret = 'orq_wk_...';

app.post('/webhooks', (req: Request, res: Response) => {
  const signature = req.headers['x-orq-signature'] as string;
  const rawBody = req.body;

  let event: WebhookEvent;

  try {
    const requestBody = JSON.parse(rawBody.toString());

    event = client.webhooks.constructEvent(
      requestBody,
      signature,
      webhookSecret
    );

    switch (event.type) {
      case WebhookEventType.DeploymentInvoked:
        console.log('Deployment invoked:', event.data);
    }

    res.json({ received: true });
  } catch (e) {
    console.error('Error validating webhook event:', e);
    return res.status(400).send(`Webhook Error: ${e.message}`);
  }
});

app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`);
});
By following these steps, you can effectively secure your webhooks and ensure that only authentic requests from orq.ai are processed.