Webhook Trigger

Webhooks let external systems push events to you. Your endpoint must be resilient, secure, and idempotent.

Verify signatures (HMAC example)

app.MapPost("/webhook", async (HttpRequest http, Kernel kernel) =>
{
    // 1) Read body and signature header
    using var reader = new StreamReader(http.Body);
    var body = await reader.ReadToEndAsync();
    var signature = http.Headers["X-Signature"].ToString();

    // 2) Compute HMAC and compare (constant-time)
    var secret = Environment.GetEnvironmentVariable("WEBHOOK_SECRET")!;
    using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
    var hash = Convert.ToHexString(hmac.ComputeHash(Encoding.UTF8.GetBytes(body)));
    if (!CryptographicOperations.FixedTimeEquals(
        Encoding.UTF8.GetBytes(signature), Encoding.UTF8.GetBytes(hash)))
    {
        return Results.Unauthorized();
    }

    // 3) Idempotency (dedupe)
    var id = http.Headers["X-Event-Id"].ToString();
    if (await AlreadyProcessed(id)) return Results.Ok();

    // 4) Queue for processing, then ack fast
    await EnqueueAsync(body);
    return Results.Accepted();
});

• Process events from the queue with controlled concurrency and call SK inside workers.
• Persist success/failure and implement dead-letter queues.

Pros / Cons

• Pros: Efficient event-driven pipeline; backpressure via queue; reliable retries.
• Cons: Signature drift and clock skew; you must implement dedupe and poison handling.