intermediatetypescript
Agent Approval Webhook Handler
Validate and process Inngest webhook payloads for agent completion events with HMAC-SHA256 signature verification.
Code
import { createHmac, timingSafeEqual } from 'node:crypto';
export function verifyWebhookSignature(
payload: string,
signature: string,
secret: string,
): boolean {
const expected = createHmac('sha256', secret)
.update(payload)
.digest('hex');
const sig = signature.startsWith('sha256=') ? signature.slice(7) : signature;
return timingSafeEqual(Buffer.from(expected), Buffer.from(sig));
}How it works
Always verify webhook signatures before processing. `timingSafeEqual` prevents timing attacks that could allow an attacker to brute-force the secret by measuring response times.