In order to not expose your webhook endpoint to the public, you can verify the signature of the incoming payload and
cross-reference it with your signing key you got from the dashboard. For details on HMAC security, review this Wikipedia page.
Make sure not to share your signing key with anyone. If you believe your signing key has been compromised, be sure to refresh it
from the Penciled dashboard.
import crypto from 'crypto';/** * Verifies the signature of a webhook payload using the provided key. * * @param secretKey - The key on-hand to verify the signature. Located in environment variables * @param data - The body of the request * @param signature - The signature that came in the request headers * @returns A boolean indicating whether the signature is valid */export function verifyWebhookSignature(secretKey: string, data: any, signature: string): boolean { const expectedSignature = crypto.createHmac('sha256', secretKey) .update(data) .digest('hex'); return expectedSignature === signature;}