Webhook Payload
Example Response:
Each webhook request includes:
x-webhook-id
- ID of the webhook configuration to know which one triggered the sendx-webhook-signature
- hash of the payload signed with the webhook's secret. Used to validate the payload
To verify that the request is from thirdweb webhooks it is highly recommended to verify the payload.
Each webhook has a webhook_secret
which is used to sign the raw payload and is then attached to the headers.
To verify the webhook:
You need to use the raw request body when verifying webhooks, as the cryptographic signature is sensitive to even the slightest changes. You should watch out for frameworks that parse the request as JSON and then stringify it because this too will break the signature verification.
You can optionally also verify the age of the payload.
After you have verified the signature, you can be sure the timestamp in the payload is correct and apply any time limit you wish.
If a blockchain reorganization occurs:
- You'll receive an event with
status: "reverted"
instead ofstatus: "new"
- You should handle this by reverting any actions taken for the original event