creating-webhook-handlers
Create webhook endpoints with signature verification, retry logic, and payload validation. Use when receiving and processing webhook events. Trigger with phrases like "create webhook", "handle webhook events", or "setup webhook handler".
Best use case
creating-webhook-handlers is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Create webhook endpoints with signature verification, retry logic, and payload validation. Use when receiving and processing webhook events. Trigger with phrases like "create webhook", "handle webhook events", or "setup webhook handler".
Teams using creating-webhook-handlers should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/creating-webhook-handlers/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How creating-webhook-handlers Compares
| Feature / Agent | creating-webhook-handlers | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Create webhook endpoints with signature verification, retry logic, and payload validation. Use when receiving and processing webhook events. Trigger with phrases like "create webhook", "handle webhook events", or "setup webhook handler".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Creating Webhook Handlers
## Overview
Create secure webhook receiver endpoints with HMAC signature verification, idempotent event processing, and automatic retry handling. Support ingestion from providers like Stripe, GitHub, Twilio, and Slack with provider-specific signature validation schemes and payload parsing.
## Prerequisites
- Web framework with raw body access (Express with `express.raw()`, FastAPI with `Request.body()`)
- Webhook provider credentials: signing secret or shared secret key
- Persistent storage for idempotency tracking (Redis or database table for processed event IDs)
- Queue system for async processing (optional: Bull, Celery, SQS)
- ngrok or similar tunnel for local development testing
## Instructions
1. Examine existing route definitions and middleware using Grep and Read to identify where webhook endpoints integrate into the application.
2. Create a dedicated webhook route (e.g., `POST /webhooks/:provider`) that captures the raw request body before any JSON parsing middleware runs.
3. Implement HMAC-SHA256 signature verification by computing `HMAC(raw_body, signing_secret)` and comparing against the provider's signature header (`X-Hub-Signature-256`, `Stripe-Signature`, `X-Twilio-Signature`).
4. Add idempotency protection by storing processed event IDs (e.g., `evt_xxx`) in Redis or a database table, rejecting duplicates with 200 OK to prevent provider retries.
5. Parse the event type from the payload (`event.type`, `action`, `EventType`) and route to the appropriate handler function using a dispatch map.
6. Respond with 200 OK immediately, then enqueue the event payload for asynchronous processing to avoid webhook timeout failures.
7. Implement dead-letter handling for events that fail processing after maximum retry attempts, logging the full payload for manual inspection.
8. Write tests that replay recorded webhook payloads with valid and tampered signatures to verify acceptance and rejection behavior.
See `${CLAUDE_SKILL_DIR}/references/implementation.md` for the full implementation guide.
## Output
- `${CLAUDE_SKILL_DIR}/src/webhooks/receiver.js` - Webhook endpoint with signature verification
- `${CLAUDE_SKILL_DIR}/src/webhooks/handlers/` - Per-event-type handler functions
- `${CLAUDE_SKILL_DIR}/src/webhooks/verify.js` - HMAC signature verification utilities
- `${CLAUDE_SKILL_DIR}/src/webhooks/idempotency.js` - Duplicate event detection logic
- `${CLAUDE_SKILL_DIR}/src/queues/webhook-processor.js` - Async event processing queue worker
- `${CLAUDE_SKILL_DIR}/tests/webhooks/` - Replay tests with recorded payloads
## Error Handling
| Error | Cause | Solution |
|-------|-------|----------|
| 401 Signature Mismatch | HMAC verification failed against provider signature | Log the expected vs. received signature (redacted); verify signing secret rotation status |
| 400 Malformed Payload | Raw body is not valid JSON or missing required fields | Return 400 so provider marks delivery as failed; log raw body for debugging |
| 200 OK (duplicate) | Event ID already processed; idempotency guard triggered | Return 200 to prevent provider retry loops; log duplicate detection for monitoring |
| 504 Gateway Timeout | Synchronous processing exceeded provider timeout (typically 5-30s) | Move processing to async queue; respond 200 immediately upon signature verification |
| 500 Handler Exception | Business logic threw unhandled error during processing | Catch at dispatch layer; log full error with event payload; allow provider to retry |
Refer to `${CLAUDE_SKILL_DIR}/references/errors.md` for comprehensive error patterns.
## Examples
**Stripe payment webhook**: Verify `Stripe-Signature` header using `stripe.webhooks.constructEvent()`, then dispatch `payment_intent.succeeded` to fulfill orders and `charge.refunded` to process refund credits.
**GitHub push webhook**: Validate `X-Hub-Signature-256`, parse `push` events, extract commit list, and trigger CI/CD pipeline via queue message.
**Multi-provider router**: Single `/webhooks/:provider` endpoint that loads provider-specific signature verifier and event schema from a registry, supporting Stripe, GitHub, Twilio, and custom providers.
See `${CLAUDE_SKILL_DIR}/references/examples.md` for additional examples.
## Resources
- Stripe Webhook Signatures: https://stripe.com/docs/webhooks/signatures
- GitHub Webhook Events: https://docs.github.com/en/webhooks
- RFC 2104 HMAC specification for signature computation
- OWASP Webhook Security best practicesRelated Skills
webhook-signature-validator
Webhook Signature Validator - Auto-activating skill for API Integration. Triggers on: webhook signature validator, webhook signature validator Part of the API Integration skill category.
webhook-sender-creator
Webhook Sender Creator - Auto-activating skill for API Integration. Triggers on: webhook sender creator, webhook sender creator Part of the API Integration skill category.
webhook-retry-handler
Webhook Retry Handler - Auto-activating skill for API Integration. Triggers on: webhook retry handler, webhook retry handler Part of the API Integration skill category.
webhook-receiver-generator
Webhook Receiver Generator - Auto-activating skill for API Integration. Triggers on: webhook receiver generator, webhook receiver generator Part of the API Integration skill category.
creating-github-issues-from-web-research
This skill enhances Claude's ability to conduct web research and translate findings into actionable GitHub issues. It automates the process of extracting key information from web search results and formatting it into a well-structured issue, ready for team action. Use this skill when you need to research a topic and create a corresponding GitHub issue for tracking, collaboration, and task management. Trigger this skill by requesting Claude to "research [topic] and create a ticket" or "find [information] and generate a GitHub issue".
teams-webhook-sender
Teams Webhook Sender - Auto-activating skill for Business Automation. Triggers on: teams webhook sender, teams webhook sender Part of the Business Automation skill category.
exa-webhooks-events
Build event-driven integrations with Exa using scheduled monitors and content alerts. Use when building content monitoring, competitive intelligence pipelines, or scheduled search automation with Exa. Trigger with phrases like "exa monitor", "exa content alerts", "exa scheduled search", "exa event-driven", "exa notifications".
evernote-webhooks-events
Implement Evernote webhook notifications and sync events. Use when handling note changes, implementing real-time sync, or processing Evernote notifications. Trigger with phrases like "evernote webhook", "evernote events", "evernote sync", "evernote notifications".
elevenlabs-webhooks-events
Implement ElevenLabs webhook HMAC signature verification and event handling. Use when setting up webhook endpoints for transcription completion, call recording, or agent conversation events from ElevenLabs. Trigger: "elevenlabs webhook", "elevenlabs events", "elevenlabs webhook signature", "handle elevenlabs notifications", "elevenlabs post-call webhook", "elevenlabs transcription webhook".
documenso-webhooks-events
Implement Documenso webhook configuration and event handling. Use when setting up webhook endpoints, handling document events, or implementing real-time notifications for document signing. Trigger with phrases like "documenso webhook", "documenso events", "document completed webhook", "signing notification".
deepgram-webhooks-events
Implement Deepgram callback and webhook handling for async transcription. Use when implementing callback URLs, processing async transcription results, or handling Deepgram event notifications. Trigger: "deepgram callback", "deepgram webhook", "async transcription", "deepgram events", "deepgram notifications", "deepgram async".
databricks-webhooks-events
Configure Databricks job notifications, webhooks, and event handling. Use when setting up Slack/Teams notifications, configuring alerts, or integrating Databricks events with external systems. Trigger with phrases like "databricks webhook", "databricks notifications", "databricks alerts", "job failure notification", "databricks slack".