Handle webhooks | Reventlov

Create an endpoint:

$ curl -X POST $API/api/v1/webhook-endpoints \
>   -H "Authorization: Bearer $REVENTLOV_API_KEY" \
>   -d '{"url":"https://example.com/hooks","events":["directive.issued"]}'

Save the returned secret — you’ll use it to verify signatures.
On your server, verify:

1 import { createHmac, timingSafeEqual } from 'node:crypto';
2 
3 export function verify(req: Request, raw: string, secret: string) {
4   const h = req.headers.get('x-reventlov-signature') ?? '';
5   const [tPart, vPart] = h.split(',');
6   const t = Number(tPart.split('=')[1]);
7   const sig = vPart.split('=')[1];
8   const expected = createHmac('sha256', secret).update(`${t}.${raw}`).digest('hex');
9   return timingSafeEqual(Buffer.from(expected), Buffer.from(sig));
10 }

Reject if the timestamp is older than 5 minutes to prevent replay.