Manage secrets
Rotate consumer secrets and validate every Chainhooks delivery
What you'll learn
Create/rotate a Chainhooks consumer secret.
Validate webhook requests by checking the header.
Prerequisites
- Hiro API key
- Node.js (server example uses Fastify).
Validating webhook requests with a consumer secret
When you create a secret, our Chainhooks service attaches an Authorization: Bearer <secret> header to every webhook attempt, giving you a simple shared-secret handshake. Here's how to get started:
- 1Rotate the secret with
rotateConsumerSecret(or the/chainhooks/{uuid}/secretAPI) whenever you need to initialize or create a new token. - 2Reject webhook deliveries whose
Authorizationheader does not equalBearer <current-secret>.
Create/rotate consumer secret
-nc server.ts
1import { ChainhooksClient, CHAINHOOKS_BASE_URL } from '@hirosystems/chainhooks-client';23const client = new ChainhooksClient({4baseUrl: CHAINHOOKS_BASE_URL.mainnet, // or .testnet / custom URL5apiKey: process.env.HIRO_API_KEY!,6});78// Store this value securely and use it to validate webhook requests9const secret = await client.rotateConsumerSecret(chainhookUuid).secret;
Example Fastify server
-nc -n
1import Fastify from 'fastify';23const server = Fastify();45server.post('/webhook', async (request, reply) => {6if (!secret) {7reply.code(503).send({ error: 'consumer secret unavailable' });8return;9}1011const authHeader = request.headers.authorization;12if (authHeader !== `Bearer ${secret}`) {13reply.code(401).send({ error: 'invalid consumer secret' });14return;15}1617const event = request.body;18console.log(`received chainhook ${event.chainhook.uuid}`);19reply.code(204).send();20});2122await server.listen({ port: Number(process.env.PORT) || 3000 });