Class: WorkOS::Webhooks

Inherits:

Object

• Object
• WorkOS::Webhooks

Defined in:

lib/workos/webhooks.rb

Constant Summary

DEFAULT_TOLERANCE_SECONDS =

180

Instance Method Summary

• #compute_signature(payload:, timestamp:, secret:) ⇒ Object

  Compute the HMAC-SHA256 hex signature for a (timestamp, payload) pair.

• #construct_event(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS) ⇒ WorkOS::WebhookEvent

  Verify a webhook signature and return a typed event struct.

• #create_webhook_endpoint(endpoint_url:, events:, request_options: {}) ⇒ WorkOS::WebhookEndpointJson

  Create a Webhook Endpoint.

• #delete_webhook_endpoint(id:, request_options: {}) ⇒ void

  Delete a Webhook Endpoint.

• #initialize(client) ⇒ Webhooks constructor

  A new instance of Webhooks.

• #list_webhook_endpoints(before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::WebhookEndpointJson>

  List Webhook Endpoints.

• #parse_signature_header(sig_header) ⇒ Object

  Parse a “t=<ms>, v1=<sig>” header into [timestamp, signature].

• #update_webhook_endpoint(id:, endpoint_url: nil, status: nil, events: nil, request_options: {}) ⇒ WorkOS::WebhookEndpointJson

  Update a Webhook Endpoint.

• #verify_event(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS) ⇒ Hash

  Verify a webhook signature and return the deserialized event payload.

• #verify_header(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS) ⇒ true

  Verify the webhook signature without deserializing the payload.

Constructor Details

#initialize(client) ⇒ Webhooks

Returns a new instance of Webhooks.

# File 'lib/workos/webhooks.rb', line 9

def initialize(client)
  @client = client
end

Instance Method Details

#compute_signature(payload:, timestamp:, secret:) ⇒ Object

Compute the HMAC-SHA256 hex signature for a (timestamp, payload) pair. Exposed publicly so users can build their own verification flow.

# File 'lib/workos/webhooks.rb', line 215

def compute_signature(payload:, timestamp:, secret:)
  WorkOS::Util::Signature.compute(payload: payload, timestamp: timestamp, secret: secret)
end

#construct_event(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS) ⇒ WorkOS::WebhookEvent

Verify a webhook signature and return a typed event struct.

Parses the ‘WorkOS-Signature` header, validates the HMAC-SHA256 signature against the endpoint secret, checks that the event timestamp is within the tolerance window, and returns a typed WorkOS::WebhookEvent.

Examples:

Rack / Sinatra

post "/webhooks" do
  event = client.webhooks.construct_event(
    payload:   request.body.read,
    sig_header: request.env["HTTP_WORKOS_SIGNATURE"],
    secret:    ENV["WORKOS_WEBHOOK_SECRET"]
  )
  case event.event
  when "user.created" then handle_user_created(event.data)
  end
end

Parameters:

• payload (String) —

  Raw webhook request body (must be the exact bytes received; do not re-serialize).

• sig_header (String) —

  Value of the ‘WorkOS-Signature` header (format: `“t=<ms_timestamp>, v1=<hex_sig>”`).

• secret (String) —

  Webhook endpoint secret from the WorkOS dashboard.

• tolerance (Integer) (defaults to: DEFAULT_TOLERANCE_SECONDS) —

  Maximum event age in seconds (default: 180). Events older than this are rejected to guard against replay attacks.

Returns:

• (WorkOS::WebhookEvent) —

  Typed event with ‘.event`, `.data`, `.id`, `.created_at`.

Raises:

• (WorkOS::SignatureVerificationError) —

  if the signature does not match, the header is malformed, or the timestamp exceeds the tolerance.

# File 'lib/workos/webhooks.rb', line 165

def construct_event(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS)
  raw = verify_event(payload: payload, sig_header: sig_header, secret: secret, tolerance: tolerance)
  WebhookEvent.new(raw)
end

#create_webhook_endpoint(endpoint_url:, events:, request_options: {}) ⇒ WorkOS::WebhookEndpointJson

Create a Webhook Endpoint

Parameters:

• endpoint_url (String) —

  The HTTPS URL where webhooks will be sent.

• events (Array<WorkOS::Types::CreateWebhookEndpointEvents>) —

  The events that the Webhook Endpoint is subscribed to.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::WebhookEndpointJson)

# File 'lib/workos/webhooks.rb', line 62

def create_webhook_endpoint(
  endpoint_url:,
  events:,
  request_options: {}
)
  body = {
    "endpoint_url" => endpoint_url,
    "events" => events
  }.compact
  response = @client.request(
    method: :post,
    path: "/webhook_endpoints",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::WebhookEndpointJson.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#delete_webhook_endpoint(id:, request_options: {}) ⇒ void

This method returns an undefined value.

Delete a Webhook Endpoint

Parameters:

• id (String) —

  Unique identifier of the Webhook Endpoint.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

# File 'lib/workos/webhooks.rb', line 118

def delete_webhook_endpoint(
  id:,
  request_options: {}
)
  @client.request(
    method: :delete,
    path: "/webhook_endpoints/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    request_options: request_options
  )
  nil
end

#list_webhook_endpoints(before: nil, after: nil, limit: nil, order: "desc", request_options: {}) ⇒ WorkOS::Types::ListStruct<WorkOS::WebhookEndpointJson>

List Webhook Endpoints

Parameters:

• before (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `before=“obj_123”` to fetch a new batch of objects before `“obj_123”`.

• after (String, nil) (defaults to: nil) —

  An object ID that defines your place in the list. When the ID is not present, you are at the end of the list. For example, if you make a list request and receive 100 objects, ending with ‘“obj_123”`, your subsequent call can include `after=“obj_123”` to fetch a new batch of objects after `“obj_123”`.

• limit (Integer, nil) (defaults to: nil) —

  Upper limit on the number of objects to return, between ‘1` and `100`.

• order (WorkOS::Types::WebhooksOrder, nil) (defaults to: "desc") —

  Order the results by the creation time. Supported values are ‘“asc”` (ascending), `“desc”` (descending), and `“normal”` (descending with reversed cursor semantics where `before` fetches older records and `after` fetches newer records). Defaults to descending.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::Types::ListStruct<WorkOS::WebhookEndpointJson>)

# File 'lib/workos/webhooks.rb', line 20

def list_webhook_endpoints(
  before: nil,
  after: nil,
  limit: nil,
  order: "desc",
  request_options: {}
)
  params = {
    "before" => before,
    "after" => after,
    "limit" => limit,
    "order" => order
  }.compact
  response = @client.request(
    method: :get,
    path: "/webhook_endpoints",
    auth: true,
    params: params,
    request_options: request_options
  )
  fetch_next = ->(cursor) {
    list_webhook_endpoints(
      before: before,
      after: cursor,
      limit: limit,
      order: order,
      request_options: request_options
    )
  }
  WorkOS::Types::ListStruct.from_response(
    response,
    model: WorkOS::WebhookEndpointJson,
    filters: {before: before, limit: limit, order: order},
    fetch_next: fetch_next
  )
end

#parse_signature_header(sig_header) ⇒ Object

Parse a “t=<ms>, v1=<sig>” header into [timestamp, signature]. Exposed publicly for advanced use.

# File 'lib/workos/webhooks.rb', line 221

def parse_signature_header(sig_header)
  WorkOS::Util::Signature.parse_header(sig_header)
rescue ArgumentError => e
  raise WorkOS::SignatureVerificationError.new(message: e.message, http_status: nil)
end

#update_webhook_endpoint(id:, endpoint_url: nil, status: nil, events: nil, request_options: {}) ⇒ WorkOS::WebhookEndpointJson

Update a Webhook Endpoint

Parameters:

• id (String) —

  Unique identifier of the Webhook Endpoint.

• endpoint_url (String, nil) (defaults to: nil) —

  The HTTPS URL where webhooks will be sent.

• status (WorkOS::Types::UpdateWebhookEndpointStatus, nil) (defaults to: nil) —

  Whether the Webhook Endpoint is enabled or disabled.

• events (Array<WorkOS::Types::UpdateWebhookEndpointEvents>, nil) (defaults to: nil) —

  The events that the Webhook Endpoint is subscribed to.

• request_options (Hash) (defaults to: {}) —

  (see WorkOS::Types::RequestOptions)

Returns:

• (WorkOS::WebhookEndpointJson)

# File 'lib/workos/webhooks.rb', line 90

def update_webhook_endpoint(
  id:,
  endpoint_url: nil,
  status: nil,
  events: nil,
  request_options: {}
)
  body = {
    "endpoint_url" => endpoint_url,
    "status" => status,
    "events" => events
  }.compact
  response = @client.request(
    method: :patch,
    path: "/webhook_endpoints/#{WorkOS::Util.encode_path(id)}",
    auth: true,
    body: body,
    request_options: request_options
  )
  result = WorkOS::WebhookEndpointJson.new(response.body)
  result.last_response = WorkOS::Types::ApiResponse.new(http_status: response.code.to_i, http_headers: response.each_header.to_h, request_id: response["x-request-id"])
  result
end

#verify_event(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS) ⇒ Hash

Verify a webhook signature and return the deserialized event payload.

Parameters:

• payload (String) —

  Raw webhook request body.

• sig_header (String) —

  Value of the WorkOS-Signature header (format: “t=<ms_timestamp>, v1=<hex_sig>”).

• secret (String) —

  Webhook endpoint secret from the dashboard.

• tolerance (Integer) (defaults to: DEFAULT_TOLERANCE_SECONDS) —

  Maximum age of the event in seconds.

Returns:

• (Hash) —

  Parsed JSON payload.

Raises:

• (WorkOS::SignatureVerificationError) —

  if signature or timestamp invalid.

# File 'lib/workos/webhooks.rb', line 179

def verify_event(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS)
  verify_header(payload: payload, sig_header: sig_header, secret: secret, tolerance: tolerance)
  JSON.parse(payload)
end

#verify_header(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS) ⇒ true

Verify the webhook signature without deserializing the payload.

Parameters:

• payload (String) —

  Raw webhook request body.

• sig_header (String) —

  Value of the ‘WorkOS-Signature` header.

• secret (String) —

  Webhook endpoint secret.

• tolerance (Integer) (defaults to: DEFAULT_TOLERANCE_SECONDS) —

  Maximum event age in seconds (default: 180).

Returns:

• (true) —

  Returns ‘true` on success.

Raises:

• (WorkOS::SignatureVerificationError) —

  if verification fails.

# File 'lib/workos/webhooks.rb', line 192

def verify_header(payload:, sig_header:, secret:, tolerance: DEFAULT_TOLERANCE_SECONDS)
  timestamp_ms, signature_hash = parse_signature_header(sig_header)
  max_age = tolerance.to_i
  issued_at = timestamp_ms.to_i / 1000.0
  if (Time.now.to_f - issued_at) > max_age
    raise WorkOS::SignatureVerificationError.new(
      message: "Timestamp outside the tolerance zone",
      http_status: nil
    )
  end

  expected = compute_signature(payload: payload, timestamp: timestamp_ms, secret: secret)
  unless secure_compare(signature_hash, expected)
    raise WorkOS::SignatureVerificationError.new(
      message: "Signature hash does not match the expected signature hash for payload",
      http_status: nil
    )
  end
  true
end