Skip to content

destwebhook signing secret template #543

Description

@alexluong

Configurable Webhook Signing Secret Generation

Problem

Currently, webhook signing secrets are auto-generated as 32-byte random hex strings. There's no way to customize the secret format or generation pattern, which limits flexibility for users who want to use a specific secret format (e.g., whsec_xxxxx prefix like Stripe).

Current Behavior

func generateSignatureSecret() (string, error) {
    randomBytes := make([]byte, 32)
    rand.Read(randomBytes)
    return hex.EncodeToString(randomBytes), nil // Always returns 64-char hex string
}

Proposed Solution

Add a template-based configuration similar to existing signature templates:

Config:

destinations:
  webhook:
    signing_secret_template: "whsec_{{.RandomHex}}"  # or "{{.RandomBase64}}", etc.

Environment Variable:

WEBHOOK_SIGNING_SECRET_TEMPLATE="whsec_{{.RandomHex}}"

Template Variables

Suggested template variables:

  • {{.RandomHex}} - 64-char hex string (current default)
  • {{.RandomBase64}} - Base64-encoded random bytes
  • {{.RandomAlphanumeric}} - Alphanumeric random string

and other ID generation functions if necessary.

Breaking Change Considerations

Current behavior as template: {{.RandomHex}} (64-character hex string from 32 random bytes)

This is a breaking change if we change the default template to something else (e.g., whsec_{{.RandomHex}}).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions