Webhook Handler Agent Skill
Receive webhooks, signature verification, retry logic, and idempotency patterns.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Receive webhooks, signature verification, retry logic, and idempotency patterns.
homepage: https://yepapi.com/skills/webhook-handler
metadata:
tags: [webhooks, events, signatures, integrations]
---
# Webhook Handler
## Rules
- Always verify webhook signatures — never trust unverified payloads
- Raw body for signature verification — use `request.text()` or disable body parsing for webhook routes
- Idempotency: store processed event IDs, skip duplicates — webhooks are delivered at-least-once
- Return 200 quickly — do heavy processing in a background job/queue, not in the handler
- Stripe: `stripe.webhooks.constructEvent(rawBody, sig, endpointSecret)`
- GitHub: HMAC-SHA256 — `crypto.timingSafeEqual(computedSig, headerSig)`
- Svix: `wh.verify(rawBody, headers)` from `svix` package
- Log all incoming webhooks with event type, ID, and timestamp for debugging
- Type-narrow on event type: `switch (event.type) { case "checkout.session.completed": ... }`
## Patterns
```ts
// Next.js App Router webhook route
export async function POST(req: Request) {
const rawBody = await req.text();
const sig = req.headers.get("stripe-signature")!;
let event;
try {
event = stripe.webhooks.constructEvent(rawBody, sig, process.env.STRIPE_WEBHOOK_SECRET!);
} catch {
return new Response("Invalid signature", { status: 400 });
}
// Idempotency check
const existing = await db.webhookEvent.findUnique({ where: { eventId: event.id } });
if (existing) return new Response("Already processed", { status: 200 });
await db.webhookEvent.create({ data: { eventId: event.id, type: event.type } });
switch (event.type) {
case "checkout.session.completed":
await handleCheckoutComplete(event.data.object);
break;
}
return new Response("OK", { status: 200 });
}
```
## Avoid
- Skipping signature verification — this is a critical security vulnerability
- Doing slow work inside the webhook handler — respond fast, process async
- Assuming webhooks arrive in order — use event timestamps to resolve conflicts
- Missing idempotency — webhooks can be retried and delivered multiple timesInstall
Why Use the Webhook Handler Skill?
Without this skill, your AI guesses at webhook handler patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Webhook Handler skill installed. Your AI knows the context and writes code that fits.
"Build a webhook receiver with signature verification, retry handling, and idempotency"
"Create a webhook processing system with event logging, failure alerts, and replay capability"
"Set up Stripe/GitHub webhook handlers with proper signature verification and event routing"
Works Great With
Webhook Handler skill — FAQ
It covers webhook receiving, signature verification, retry logic, and idempotency patterns. Your AI builds webhook handlers that are secure, reliable, and resistant to duplicate processing.
Run `npx skills add YepAPI/skills --skill webhook-handler` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
The skill includes signature verification patterns for Stripe, GitHub, and generic HMAC webhooks. It computes the expected signature and uses timing-safe comparison to prevent attacks.