Webhook Endpoint

POST /webhook - GitHub/Telegram events. HMAC sig auth, raw body parse. Returns 200 OK fast.

TL;DR: POST /webhook handles platform events. Verify sig -> parse -> queue. Always 200 <6ms.

Request
Headers
Responses
Errors
Code Snippets

Request

POST /webhook
Content-Type: application/json

Body: Platform payload (GitHub event/Telegram update).

Headers

Header	Required	Desc	Example
`X-Hub-Signature-256`	GitHub	HMAC-SHA256 sig	`sha256=6931...`
`X-GitHub-Event`	GitHub	Event type	`issue_comment`
`X-Telegram-Bot-Api-Secret-Token`	Telegram	Bot token	`12345:ABC...`

Responses

Status	Body	Meaning
200	`"OK"`	Accepted
401	`{error: "Invalid signature"}`	Auth fail

Errors

Code	Status	Desc
INVALID_SIG	401	HMAC mismatch
MISSING_SIG	401	No sig header
AUTH_001	403	Telegram user not allowed

From signature.ts

export function verifySignature(payload: string, signature: string, secret: string): boolean {
  const hmac = createHmac('sha256', secret);
  const digest = `sha256=${hmac.update(payload).digest('hex')}`;
  return timingSafeEqual(Buffer.from(digest), Buffer.from(signature));
}

Telegram auth auth.ts

if (!isUserAuthorized(env, userId)) {
  c.set('unauthorized', true);
}

Quiz: Sig fail -> ? A: 401 + log warn ✅

Integrate

app.post('/webhook', signatureMiddleware, parser, auth, agentHandler);

Deploy: bun run deploy:github -> GitHub webhook -> Test sig!

Related: Deployment | Health ->