Why should I use webhooks?

Pandabase webhooks can help you build real-time systems and facilitate payment acceptance. If you intend to provide something to a user immediately after a purchase, you can leverage webhook events.

Event Overview

We generate event data and send it to your webhook. There are different event types as mentioned in events. For example, if you want updates on payments, you can use the payment.updated event to receive an update about the payment in your application. We automatically send this immediately once a resource is created in our system.

The event object payload

Here’s an example:

{
  "type": "payment.created",
  "webhook_id": "",
  "data": {
    ...paymentResource
  }
}

Retries

We retry up to 5 times, with each attempt delayed using an exponential backoff. If we receive a 200 status from your application, we mark the delivery as successful. Otherwise, if anything other than 200 is received, we try 5 times max. If it doesn’t succeed after 5 attempts, we email you and mark the webhook as disabled.

Verification

To ensure security, always verify webhooks.

Webhooks can be verified to ensure they were actually sent by Pandabase and not by a malicious entity.

To verify a webhook, you will need your webhook secret or token to confirm the SHA256 HMAC signature. Check the X-Pandabase-Signature header in the webhook response headers.

Here are several examples:

import crypto from "crypto";
import { Request, Response } from "express";

function validateSignature(req: Request, res: Response) {
  if (!req.headers["x-pandabase-signature"]) return res.status(401).send();
  try {
    const valid = crypto.timingSafeEqual(
      Buffer.from(req.headers["x-pandabase-signature"] as string, "hex"),
      Buffer.from(
        crypto
          .createHmac("sha256", "wh_")
          .update(JSON.stringify(req.body))
          .digest("hex"),
        "hex"
      )
    );
    res.status(valid ? 200 : 401).send();
  } catch {
    res.status(401).send();
  }
}

export { validateSignature };

This code calculates the HMAC signature by hashing the JSON string of the webhook payload using the SHA256 algorithm and the provided secret. The result is a hexadecimal digest.