Manage secrets

Rotate consumer secrets and validate every Chainhooks delivery

What you'll learn

Create/rotate a Chainhooks consumer secret.
Validate webhook requests by checking the header.

Prerequisites

  • Hiro API key
  • Node.js (server example uses Fastify).

Validating webhook requests with a consumer secret

When you create a secret, our Chainhooks service attaches an Authorization: Bearer <secret> header to every webhook attempt, giving you a simple shared-secret handshake. Here's how to get started:

  1. 1Rotate the secret with rotateConsumerSecret (or the /chainhooks/{uuid}/secret API) whenever you need to initialize or create a new token.
  2. 2Reject webhook deliveries whose Authorization header does not equal Bearer <current-secret>.

Create/rotate consumer secret

server.ts
1
import { ChainhooksClient, CHAINHOOKS_BASE_URL } from '@hirosystems/chainhooks-client';

2


3
const client = new ChainhooksClient({

4
  baseUrl: CHAINHOOKS_BASE_URL.mainnet, // or .testnet / custom URL

5
  apiKey: process.env.HIRO_API_KEY!,

6
});

7


8
// Store this value securely and use it to validate webhook requests

9
const secret = await client.rotateConsumerSecret(chainhookUuid).secret;

Example Fastify server

server.ts
1
server.post('/webhook', async (request, reply) => {

2
  if (!secret) {

3
    reply.code(503).send({ error: 'consumer secret unavailable' });

4
    return;

5
  }

6


7
  const authHeader = request.headers.authorization;

8
  if (authHeader !== `Bearer ${secret}`) {

9
    reply.code(401).send({ error: 'invalid consumer secret' });

10
    return;

11
  }

12


13
  const event = request.body;

14
  console.log(`received chainhook ${event.chainhook.uuid}`);

15
  reply.code(204).send();

16
});

17


18
await server.listen({ port: Number(process.env.PORT) || 3000 });

How is this guide?

Contents

What you'll learnPrerequisitesValidating webhook requests with a consumer secretCreate/rotate consumer secretExample Fastify server