Overview

Webhooks work just fine without any verification, but it’s considered mandatory to verify that the request is coming from the expected source. Because of the nature in which webhooks work, it’s possible for a malicious user to send a request to your endpoint and trigger an action that you didn’t intend to happen because all it requires is a typical HTTP POST request.

In order to prevent such behavior, Roastify (via it’s webhook service, Svix) signs every webhook and metadata with a unique key for each endpoint. This signature can then be used to verify the webhook indeed comes from the expected source.

To learn more about the different webhook vulnerabilities, visit Svix Security.

Verify a webhook

The easiest method to verify an incoming webhook is to use one of the Svix client libraries found here. This page will show you how to verify a webhook using one of their provided libraries or methods for manual veriication.

If you have any issues with this, please reach out to us and we can help you get up and running.

Endpoints