When an event occurs, Cobalt will send a POST request to your webhook URL with a JSON payload. The payload will include information about the event that occurred. To ensure the webhook is coming from Cobalt, we include a signature in the Cobalt-Verification header. You should validate this signature before processing the webhook.
Here’s an example of how to validate the webhook signature:
const crypto = require('crypto');
function verifySignature(payload, signature, secretKey) {
const expectedSignature = crypto.createHmac('sha256', secretKey)
.update(JSON.stringify(payload))
.digest('hex');
return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSignature));
}
// In your webhook handler
app.post('/webhook', (req, res) => {
const payload = req.body;
const signature = req.headers['cobalt-verification'];
if (!verifySignature(payload, signature, YOUR_WEBHOOK_SECRET_KEY)) {
return res.status(401).send('Invalid signature');
}
// Process the webhook payload
console.log('Received valid webhook:', payload);
res.status(200).send('Webhook received');
});
