Expand description
Webhook handling with signature verification.
Forge provides a structured way to receive webhooks from external services with automatic signature verification and idempotency handling.
§Signature Verification
Webhooks can verify signatures using HMAC-SHA256 or other algorithms:
ⓘ
#[forge::webhook(
path = "/webhooks/stripe",
signature = "hmac_sha256",
secret_env = "STRIPE_WEBHOOK_SECRET"
)]
async fn handle_stripe(ctx: &WebhookContext, payload: StripeEvent) -> WebhookResult {
// Signature already verified
}§Idempotency
Webhooks can be configured to deduplicate based on a header or payload field:
ⓘ
#[forge::webhook(
path = "/webhooks/github",
idempotency_key = "header:X-GitHub-Delivery"
)]§Key Types
WebhookContext- Request context with headers and raw bodySignatureConfig- Signature verification settingsIdempotencyConfig- Deduplication settings
Structs§
- Idempotency
Config - Configuration for webhook idempotency.
- Signature
Config - Configuration for webhook signature validation.
- Webhook
Context - Context available to webhook handlers.
- Webhook
Info - Metadata for a registered webhook handler.
- Webhook
Signature - Helper for constructing signature configurations.
Enums§
- Idempotency
Source - Source for extracting idempotency key.
- Signature
Algorithm - Supported signature algorithms.
- Webhook
Result
Constants§
- DEFAULT_
REPLAY_ WINDOW_ SECS - Default replay window for non-Stripe webhook signature schemes (5 minutes).
Stripe enforces its own 5-minute window via the
t=field in its header and ignores this value. - REPLAY_
TIMESTAMP_ HEADER - Header used by non-Stripe schemes to convey the request’s unix-seconds timestamp. Senders that don’t ship this header are rejected when the scheme requires replay protection.
Traits§
- Forge
Webhook - Trait for inbound webhook handlers.