Webhooks

Verify the signature of inbound provider webhooks and normalise them to the NotificationEvent shape. All verifiers use Web Crypto (globalThis.crypto.subtle), so they run on Cloudflare Workers and other edge runtimes.

import { twilioVerifier, slackVerifier, standardWebhookVerifier, snsVerifier } from "@visulima/notification/webhooks";

// Slack (v0 signing): HMAC-SHA256 of `v0:{timestamp}:{body}` with a 5-minute replay window
const ok = await slackVerifier.verify(rawBody, request.headers, signingSecret);

if (ok) {
    const event = slackVerifier.parse(rawBody); // -> NotificationEvent | undefined
}

Available verifiers

Verifier	Scheme
`twilioVerifier`	`X-Twilio-Signature` — base64 HMAC-SHA1 of URL + sorted params.
`slackVerifier`	v0 signing — hex HMAC-SHA256 of `v0:{ts}:{body}` + replay window.
`standardWebhookVerifier`	Standard Webhooks HMAC-SHA256.
`snsVerifier`	SNS envelope + subscription-confirmation handling.

Each exposes verify(payload, headers, secret) => Promise<boolean> and parse(body) => NotificationEvent | undefined.

SNS full RSA certificate-chain verification is a documented TODO; the verifier handles envelope/type parsing and subscription confirmation today.

Contribute to our work and keep us going

Community is the heart of open source. The success of our packages wouldn't be possible without the incredible contributions of users, testers, and developers who collaborate with us every day.Want to get involved? Here are some tips on how you can make a meaningful impact on our open source projects.

Webhooks

Webhooks

Available verifiers

On this page

Contribute to our work and keep us going

Ready to help us out?

Submit a pull request

Good first issues