Concepts
Webhooks
Receive signed, verifiable events when objects change.
Webhooks deliver events to your endpoint when objects change. Each delivery is signed so you can verify authenticity.
Events
object.createdobject.deletedupload.completed
Create a webhook
const { id, signingSecret } = await storage.webhooks.create({
url: "https://your-app.com/hooks/vault", // must be https
events: ["object.created", "object.deleted"],
});
// signingSecret is shown only once — store it.Verify a delivery
Each request includes X-Webhook-Timestamp and X-Signature: sha256=<hex>,
computed as HMAC-SHA256(signingSecret, "{timestamp}.{body}").
import { createHmac } from "node:crypto";
function verify(body: string, timestamp: string, signature: string, secret: string) {
const expected = "sha256=" + createHmac("sha256", secret)
.update(`${timestamp}.${body}`).digest("hex");
return expected === signature;
}Deliveries are retried with backoff on non-2xx responses. Respond 2xx quickly
and process asynchronously.