Logo
GitHub1.1kDiscord invite
DocsCloudCollectors

Consuming Webhooks

To deliver and verify webhooks OpenMeter uses the Svix webhook service with signatures to ensure the security and authenticity of all webhooks. In this guide, we'll show you how to consume OpenMeter webhooks and verify the webhook signature.

Why Verify Webhooks

Because of the way webhooks work, attackers can impersonate services by simply sending a fake webhook to an endpoint. Think about it: it's just an HTTP POST from an unknown source. This is a potential security hole for many applications, or at the very least, a source of problems.

To prevent it, Svix signs every webhook and its metadata with a unique key for each endpoint. This signature can then be used to verify the webhook indeed comes from Svix, and only process it if it is.

You can read more about veryfing payloads on Svix's site.

Verifying Webhooks

Let's see the following Next.js example that verifies the webhook signature and logs the payload.

import { Webhook } from 'svix';
 
const wh = new Webhook(process.env.WEBHOOK_SECRET);
 
export default async function handler(req, res) {
  if (req.method !== 'POST') {
    res.status(405).json({});
    return;
  }
 
  const payload = (await buffer(req)).toString();
 
  try {
    // Verify the webhook signature
    msg = wh.verify(payload, req.headers);
  } catch (err) {
    res.status(400).json({ message: 'Bad signature' });
    return;
  }
 
  // Webhook payload with reported usage
  if (msg.type === 'report.meter') {
    console.log(msg);
    res.json({});
  }
 
  res.status(400).json({ message: 'Unknown event type' });
  return;
}

You can read more about payload verification on Svix's site.

Webhook Authentication

OpenMeter uses a signature to ensure the security and the authenticity of all of the webhooks. While signatures are the recommended way to secure your webhook endpoint, in environments where you can't verify the webhook signature, you can use HTTP Basic Authentication or Firewalls (IP blocking) to secure your webhook endpoint.

Read more about alternative webhook authentication and veryfing payloads on our webhook partner Svix's site.

Debugging Webhooks

OpenMeter Cloud UI gives you visibility into webhook delivery and errors. Visit the Webhooks page to see the status of your webhooks and any errors that may have occurred.

Previous
Build Customer Dashboard