Vault
Concepts

Webhooks

Receive signed, verifiable events when objects change.

Webhooks deliver events to your endpoint when objects change. Each delivery is signed so you can verify authenticity.

Events

  • object.created
  • object.deleted
  • upload.completed

Create a webhook

const { id, signingSecret } = await storage.webhooks.create({
  url: "https://your-app.com/hooks/vault", // must be https
  events: ["object.created", "object.deleted"],
});
// signingSecret is shown only once — store it.

Verify a delivery

Each request includes X-Webhook-Timestamp and X-Signature: sha256=<hex>, computed as HMAC-SHA256(signingSecret, "{timestamp}.{body}").

import { createHmac } from "node:crypto";

function verify(body: string, timestamp: string, signature: string, secret: string) {
  const expected = "sha256=" + createHmac("sha256", secret)
    .update(`${timestamp}.${body}`).digest("hex");
  return expected === signature;
}

Deliveries are retried with backoff on non-2xx responses. Respond 2xx quickly and process asynchronously.

On this page