← 返回 Skills 市场
prateek32177

Hookflo Webhooks

作者 Prateek Jain · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
727
总下载
2
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install hookflo-tern
功能描述
Use this skill for requests touching webhooks, event-driven infrastructure, or real-time HTTP callbacks — from beginner setup to advanced security and archit...
使用说明 (SKILL.md)

Hookflo + Tern Webhook Skill

This skill covers two tightly related tools in the Hookflo ecosystem:

  1. Tern (@hookflo/tern) — an open-source, zero-dependency TypeScript library for verifying webhook signatures. Algorithm-agnostic, supports all major platforms.
  2. Hookflo — a hosted webhook event alerting and logging platform. Sends real-time Slack/email alerts when webhooks fire. No code required on their end; you point your provider at Hookflo's URL and configure alerts in the dashboard.

Mental Model

Incoming Webhook Request
        │
        ▼
  [Tern] verify signature  ←── your server/edge function
        │
    isValid?
        │
   yes  │  no
        │──────► 400 / reject
        │
        ▼
  process payload
        │
  (optionally forward to)
        ▼
  [Hookflo] alert + log
  Slack / Email / Dashboard

Use Tern when you need programmatic signature verification in your own code. Use Hookflo when you want no-code / low-code alerting and centralized event logs. They can be used together or independently.

Part 1 — Tern (Webhook Verification Library)

Installation

npm install @hookflo/tern

No other dependencies required. Full TypeScript support.

Core API

WebhookVerificationService.verify(request, config)

The primary method. Returns a WebhookVerificationResult.

import { WebhookVerificationService } from '@hookflo/tern';

const result = await WebhookVerificationService.verify(request, {
  platform: 'stripe',
  secret: process.env.STRIPE_WEBHOOK_SECRET!,
  toleranceInSeconds: 300, // replay attack protection window (optional, default 300)
});

if (result.isValid) {
  console.log('Verified payload:', result.payload);
  console.log('Metadata:', result.metadata); // timestamp, id, etc.
} else {
  console.error('Rejected:', result.error);
  // return 400
}

WebhookVerificationService.verifyWithPlatformConfig(request, platform, secret, tolerance?)

Shorthand that accepts just a platform name + secret.

const result = await WebhookVerificationService.verifyWithPlatformConfig(
  request,
  'github',
  process.env.GITHUB_WEBHOOK_SECRET!
);

WebhookVerificationService.verifyTokenBased(request, webhookId, webhookToken)

For token-based platforms (Supabase, GitLab).

const result = await WebhookVerificationService.verifyTokenBased(
  request,
  process.env.SUPABASE_WEBHOOK_ID!,
  process.env.SUPABASE_WEBHOOK_TOKEN!
);

WebhookVerificationResult type

interface WebhookVerificationResult {
  isValid: boolean;
  error?: string;
  platform: WebhookPlatform;
  payload?: any;             // parsed JSON body
  metadata?: {
    timestamp?: string;
    id?: string | null;
    [key: string]: any;
  };
}

Built-in Platform Configs

Platform Algorithm Signature Header Format
stripe HMAC-SHA256 stripe-signature t={ts},v1={sig}
github HMAC-SHA256 x-hub-signature-256 sha256={sig}
clerk HMAC-SHA256 (base64) svix-signature v1,{sig}
supabase Token-based custom
gitlab Token-based x-gitlab-token
shopify HMAC-SHA256 x-shopify-hmac-sha256 raw
vercel HMAC-SHA256 custom
polar HMAC-SHA256 custom
dodo HMAC-SHA256 (svix) webhook-signature v1,{sig}

Always use the lowercase string name (e.g., 'stripe', 'github').

Custom Platform Configuration

For any provider not in the list, supply a full signatureConfig:

import { WebhookVerificationService } from '@hookflo/tern';

// Standard HMAC-SHA256 with prefix
const result = await WebhookVerificationService.verify(request, {
  platform: 'acmepay',
  secret: 'your_secret',
  signatureConfig: {
    algorithm: 'hmac-sha256',
    headerName: 'x-acme-signature',
    headerFormat: 'prefixed',
    prefix: 'sha256=',
    payloadFormat: 'raw',
  },
});

// Timestamped payload (signs "{timestamp}.{body}")
const result2 = await WebhookVerificationService.verify(request, {
  platform: 'mypay',
  secret: 'your_secret',
  signatureConfig: {
    algorithm: 'hmac-sha256',
    headerName: 'x-webhook-signature',
    headerFormat: 'raw',
    timestampHeader: 'x-webhook-timestamp',
    timestampFormat: 'unix',
    payloadFormat: 'timestamped',
  },
});

// Svix/StandardWebhooks compatible (Clerk, Dodo, etc.)
const result3 = await WebhookVerificationService.verify(request, {
  platform: 'my-svix-platform',
  secret: 'whsec_abc123...',
  signatureConfig: {
    algorithm: 'hmac-sha256',
    headerName: 'webhook-signature',
    headerFormat: 'raw',
    timestampHeader: 'webhook-timestamp',
    timestampFormat: 'unix',
    payloadFormat: 'custom',
    customConfig: {
      payloadFormat: '{id}.{timestamp}.{body}',
      idHeader: 'webhook-id',
    },
  },
});

SignatureConfig fields:

  • algorithm: 'hmac-sha256' | 'hmac-sha1' | 'hmac-sha512' | custom
  • headerName: the HTTP header that carries the signature
  • headerFormat: 'raw' | 'prefixed' | 'comma-separated' | 'space-separated'
  • prefix: string prefix to strip before comparing (e.g. 'sha256=')
  • timestampHeader: header name for the timestamp (if any)
  • timestampFormat: 'unix' | 'iso' | 'ms'
  • payloadFormat: 'raw' | 'timestamped' | 'custom'
  • customConfig.payloadFormat: template like '{id}.{timestamp}.{body}'
  • customConfig.idHeader: header supplying the {id} value
  • customConfig.encoding: 'base64' if the provider base64-encodes the key

Framework Integration

Express.js

import express from 'express';
import { WebhookVerificationService } from '@hookflo/tern';

const app = express();

// IMPORTANT: use raw body parser for webhook routes
app.post(
  '/webhooks/stripe',
  express.raw({ type: 'application/json' }),
  async (req, res) => {
    const result = await WebhookVerificationService.verifyWithPlatformConfig(
      req,
      'stripe',
      process.env.STRIPE_WEBHOOK_SECRET!
    );

    if (!result.isValid) {
      return res.status(400).json({ error: result.error });
    }

    const event = result.payload;
    // handle event.type, e.g. 'payment_intent.succeeded'

    res.json({ received: true });
  }
);

Common mistake: Express's default json() middleware consumes and re-serializes the body, breaking HMAC. Always use express.raw() on webhook endpoints.

Next.js App Router (Route Handler)

// app/api/webhooks/github/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { WebhookVerificationService } from '@hookflo/tern';

export async function POST(req: NextRequest) {
  const result = await WebhookVerificationService.verifyWithPlatformConfig(
    req,
    'github',
    process.env.GITHUB_WEBHOOK_SECRET!
  );

  if (!result.isValid) {
    return NextResponse.json({ error: result.error }, { status: 400 });
  }

  const event = req.headers.get('x-github-event');
  // handle event

  return NextResponse.json({ received: true });
}

// Disable body parsing so Tern gets the raw body
export const config = { api: { bodyParser: false } };

Cloudflare Workers

addEventListener('fetch', (event) => {
  event.respondWith(handleRequest(event.request));
});

async function handleRequest(request: Request): Promise\x3CResponse> {
  if (request.method === 'POST' && new URL(request.url).pathname === '/webhooks/clerk') {
    const result = await WebhookVerificationService.verifyWithPlatformConfig(
      request,
      'clerk',
      CLERK_WEBHOOK_SECRET
    );

    if (!result.isValid) {
      return new Response(JSON.stringify({ error: result.error }), {
        status: 400,
        headers: { 'Content-Type': 'application/json' },
      });
    }

    return new Response(JSON.stringify({ received: true }));
  }

  return new Response('Not Found', { status: 404 });
}

Platform Manager (Advanced)

import { platformManager } from '@hookflo/tern';

// Verify using the platform manager directly
const result = await platformManager.verify(request, 'stripe', 'whsec_...');

// Get the config for a platform (for inspection)
const config = platformManager.getConfig('stripe');

// Get docs/metadata for a platform
const docs = platformManager.getDocumentation('stripe');

// Run built-in tests for a platform
const passed = await platformManager.runPlatformTests('stripe');

Testing

npm test                       # run all tests
npm run test:platform stripe   # test one platform
npm run test:all               # test all platforms

Part 2 — Hookflo (Hosted Alerting Platform)

Hookflo requires no library installation. The integration is:

  1. Create a webhook endpoint in the Hookflo Dashboard → get a Webhook URL + Secret
  2. Point your provider (Stripe, Supabase, Clerk, GitHub, etc.) at that URL
  3. Configure Slack/email notifications in the dashboard

How to Set Up a Hookflo Integration

Step 1 — Go to hookflo.com/dashboard and create a new webhook. You'll receive:

  • Webhook URL — paste into your provider's webhook settings
  • Webhook ID — used for token-based platforms
  • Secret Token — used by Hookflo to verify incoming events
  • Notification channel settings — configure Slack or email

Step 2 — Set up the provider to send to that Hookflo URL:

Provider Where to paste the URL
Stripe Dashboard → Developers → Webhooks → Add endpoint
Supabase Dashboard → Database → Webhooks → Create webhook
Clerk Dashboard → Webhooks → Add endpoint
GitHub Repo/Org Settings → Webhooks → Add webhook

Step 3 — In the Hookflo dashboard, configure:

  • Which event types to alert on (e.g., payment_intent.succeeded, user.created)
  • Notification channels (Slack workspace/channel, email addresses)
  • Digest frequency if you want batched summaries instead of per-event alerts

Hookflo Platform Docs

Hookflo + Tern Together

If you want both programmatic verification (Tern) AND logging/alerting (Hookflo), use a proxy pattern:

// Your server receives the webhook, verifies it with Tern, then forwards to Hookflo
app.post('/webhooks/stripe', express.raw({ type: 'application/json' }), async (req, res) => {
  // 1. Verify with Tern
  const result = await WebhookVerificationService.verifyWithPlatformConfig(
    req, 'stripe', process.env.STRIPE_WEBHOOK_SECRET!
  );
  if (!result.isValid) return res.status(400).json({ error: result.error });

  // 2. Process locally
  handleStripeEvent(result.payload);

  // 3. Forward to Hookflo for alerting/logging (optional)
  await fetch(process.env.HOOKFLO_WEBHOOK_URL!, {
    method: 'POST',
    headers: { ...req.headers, 'Content-Type': 'application/json' },
    body: req.body,
  });

  res.json({ received: true });
});

Alternatively, point Stripe directly at your Hookflo URL and keep Tern for a different endpoint.

Common Pitfalls & Best Practices

Raw Body Requirement

HMAC signatures are computed over the exact raw bytes of the request body. Any re-serialization (e.g., by a JSON body parser) will break verification. Always ensure:

  • Express: use express.raw({ type: 'application/json' }) on webhook routes
  • Next.js Pages Router: set export const config = { api: { bodyParser: false } }
  • Next.js App Router: Tern reads the body directly from the Request object

Replay Attack Protection

Always pass toleranceInSeconds (default is 300 = 5 minutes). This rejects requests with timestamps too far in the past, preventing replay attacks.

Secrets Management

  • Never hardcode secrets in source code
  • Use environment variables: process.env.STRIPE_WEBHOOK_SECRET
  • For Cloudflare Workers: use wrangler secret put STRIPE_WEBHOOK_SECRET
  • For Vercel: add secrets in project settings

Error Responses

Always return HTTP 400 (not 500) for failed verification — this signals to the sender that the request was rejected (not that your server crashed).

HTTPS Only

Webhook endpoints must use HTTPS in production. Never accept webhook traffic over HTTP.

Troubleshooting

Symptom Likely Cause Fix
isValid: false, error about signature Body was parsed before Tern Use raw body parser
isValid: false, error about timestamp Clock skew or replay attack Check server clock; increase tolerance if dev
isValid: false for Clerk Missing svix headers Ensure svix-id, svix-timestamp, svix-signature are forwarded
isValid: false for GitHub Wrong secret Re-copy secret from GitHub Webhooks settings
Tern not finding platform Typo in platform name Use lowercase: 'stripe', 'github', 'clerk'
Hookflo not receiving events Wrong URL pasted Re-copy URL from Hookflo dashboard

Key Links

安全使用建议
This skill is internally consistent and appears to be what it says: guidance for verifying webhooks with a library (Tern) and using the Hookflo hosted dashboard. Before using it: (1) only provide webhook signing secrets (Stripe/GitHub/Clerk/Supabase) to code you control or trust — these allow validating incoming events but are sensitive; (2) review the @hookflo/tern source on the linked GitHub repo and the npm package before installing into production to ensure no unexpected behavior; (3) when using the Hookflo hosted URL, confirm Hookflo's privacy/security posture if you will forward sensitive payloads; and (4) avoid pasting secrets into third-party demo sites or chat prompts — keep them in secure environment variables or a secrets manager.
功能分析
Type: OpenClaw Skill Name: hookflo-tern Version: 1.0.1 The skill is classified as suspicious due to its instructions for the AI agent to handle sensitive environment variables (e.g., `STRIPE_WEBHOOK_SECRET`, `GITHUB_WEBHOOK_SECRET`) and to construct code that performs network requests to user-defined URLs (e.g., `process.env.HOOKFLO_WEBHOOK_URL!`) while forwarding potentially sensitive `req.body` and `req.headers`. Although these capabilities are presented as part of the legitimate purpose of webhook verification and forwarding, they represent high-risk operations that, if misused or misconfigured by a malicious actor, could lead to data exfiltration or unauthorized access. The `SKILL.md` file details these operations, making the agent aware of and capable of performing them.
能力评估
Purpose & Capability
The name/description cover webhook verification (Tern) and a hosted alerting product (Hookflo). The env vars declared (Stripe, GitHub, Clerk, Supabase id/token) are directly relevant to verifying provider webhooks. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md contains code samples and prose limited to installing/using @hookflo/tern, verifying signatures, and configuring Hookflo dashboard alerts. It reads only the declared environment variables and references normal webhook headers/body handling. There are no instructions to read unrelated system files, exfiltrate data, or post to unknown endpoints.
Install Mechanism
This is an instruction-only skill (no install spec, no code files executed by the platform). It advises running npm install @hookflo/tern in user code, which is expected for a library-focused skill. No downloads from arbitrary URLs or archive extraction are performed by the skill itself.
Credentials
All required environment variables in metadata are optional and are the exact secrets needed to verify the listed platforms' webhooks. The skill does not require unrelated secrets or a large set of credentials. Example code reads process.env.* values that match the declared env entries.
Persistence & Privilege
always:false and no install hooks or attempts to modify other skills or system-wide agent settings. As an instruction-only skill it does not persist code or credentials on the platform.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install hookflo-tern
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /hookflo-tern 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Fix security scan added homepage/source provenance, declared env vars, cleaned up activation language
v1.0.0
Initial release. Covers Tern (@hookflo/tern) webhook signature verification and Hookflo no-code alerting. Supports Stripe, GitHub, Clerk, Supabase, Shopify, Vercel + custom HMAC configs. Framework examples: Express, Next.js, Cloudflare Workers.
元数据
Slug hookflo-tern
版本 1.0.1
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Hookflo Webhooks 是什么?

Use this skill for requests touching webhooks, event-driven infrastructure, or real-time HTTP callbacks — from beginner setup to advanced security and archit... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 727 次。

如何安装 Hookflo Webhooks?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install hookflo-tern」即可一键安装,无需额外配置。

Hookflo Webhooks 是免费的吗?

是的,Hookflo Webhooks 完全免费(开源免费),可自由下载、安装和使用。

Hookflo Webhooks 支持哪些平台?

Hookflo Webhooks 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Hookflo Webhooks?

由 Prateek Jain(@prateek32177)开发并维护,当前版本 v1.0.1。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论