📌 Description
The backend ships webhook delivery with HMAC signing, timestamp/nonce replay
protection, schema versioning, and a dead-letter store, but there is no
consumer-facing guide explaining how an external integrator should verify
signatures, handle retries, and process events idempotently. docs/webhooks.md
covers the internal design; subscribers need an integration handbook.
This issue authors a subscriber-facing webhook integration guide.
🎯 Requirements and Context
- Document the signature scheme (HMAC algorithm, signed payload, timestamp and
nonce headers) with a verified pseudocode/example verifier.
- Document retry/backoff behaviour, dead-lettering, and how to use the replay and
test-ping endpoints.
- Document event schema versioning and content negotiation.
- Include an idempotent-consumer pattern using the delivered event id.
🛠️ Suggested Execution
1. Fork the repo and create a branch
git checkout -b docs/webhook-integration-guide
2. Implement changes
- Author
docs/webhook-integration-guide.md, cross-linking docs/webhooks.md.
- Add
src/tests/docs.webhookGuide.test.ts asserting the doc exists and documents
the current signature header names and schema versions (guards against drift).
3. Test and commit
- Run:
npm test -- src/tests/docs.webhookGuide.test.ts
- Cover edge cases: header names match implementation, example verifier matches
the signing algorithm, schema-version list current.
Example commit message
docs: subscriber-facing webhook integration and signature-verification guide
✅ Guidelines
- Minimum 95% test coverage on any helper/assertion code added.
- Doc must match the implemented signing/headers exactly.
- Timeframe: 96 hours.
🏷️ Labels
type-documentation · area-backend · MAYBE REWARDED · GRANTFOX OSS · OFFICIAL CAMPAIGN
💬 Community & Support
- Join the contributor Discord to coordinate, ask questions, and get unblocked fast: https://discord.gg/xvNAvMJf
- Please introduce yourself in the channel before you start so we can avoid duplicate work, pair you with a reviewer, and get your PR merged quickly.
- Maintainers actively triage this channel and aim for fast, clear, respectful reviews — reach out any time you're blocked.
📌 Description
The backend ships webhook delivery with HMAC signing, timestamp/nonce replay
protection, schema versioning, and a dead-letter store, but there is no
consumer-facing guide explaining how an external integrator should verify
signatures, handle retries, and process events idempotently.
docs/webhooks.mdcovers the internal design; subscribers need an integration handbook.
This issue authors a subscriber-facing webhook integration guide.
🎯 Requirements and Context
nonce headers) with a verified pseudocode/example verifier.
test-ping endpoints.
🛠️ Suggested Execution
1. Fork the repo and create a branch
2. Implement changes
docs/webhook-integration-guide.md, cross-linkingdocs/webhooks.md.src/tests/docs.webhookGuide.test.tsasserting the doc exists and documentsthe current signature header names and schema versions (guards against drift).
3. Test and commit
npm test -- src/tests/docs.webhookGuide.test.tsthe signing algorithm, schema-version list current.
Example commit message
✅ Guidelines
🏷️ Labels
type-documentation·area-backend·MAYBE REWARDED·GRANTFOX OSS·OFFICIAL CAMPAIGN💬 Community & Support