Skip to Content
IntegrationsWebhooks

Webhooks

Handle incoming webhooks from external systems with signature verification using standard SvelteKit endpoints.

Writing Webhook Handlers

src/routes/api/webhooks/erp/+server.ts
import { json } from "@sveltejs/kit";
import { verifyHmacSha256 } from "$lib/server/integrations";
import { env } from "$env/dynamic/private";
 
export async function POST({ request }) {
	const body = await request.text();
	const signature = request.headers.get("x-erp-signature");
 
	if (!signature || !verifyHmacSha256(body, signature, env.ERP_WEBHOOK_SECRET!)) {
		return json({ error: "Invalid signature" }, { status: 401 });
	}
 
	const payload = JSON.parse(body);
 
	switch (payload.event) {
		case "inventory.updated":
			await updateStock(payload.sku, payload.quantity);
			break;
		case "order.shipped":
			await markOrderShipped(payload.reference, payload.trackingNumber);
			break;
	}
 
	return json({ received: true });
}

Signature Verifiers

Manual Verification

import { verifyHmacSha256 } from "$lib/server/integrations";
 
const isValid = verifyHmacSha256(
	requestBody,
	signatureHeader,
	secret,
	"sha256=" // optional prefix
);

Pre-built Verifiers

Pre-built verifier functions for common services:

import { signatureVerifiers } from "$lib/server/integrations";
 
// Stripe (uses stripe-signature header)
signatureVerifiers.stripe(request, body, secret);
 
// GitHub (uses x-hub-signature-256 header)
signatureVerifiers.github(request, body, secret);
 
// Generic HMAC header
const verify = signatureVerifiers.hmacHeader("x-webhook-signature");
verify(request, body, secret);
Last updated on
Sync RunnerERP Example