Validate Feed Webhook Destination

curl --request POST \
  --url https://api.clicker.xyz/v1/webhooks/feed/{uid}/validate \
  --header 'Authorization: Bearer <token>'

{
  "success": true,
  "error": "<string>"
}

Webhooks

Validate Destination

Validate and test the functionality of your receiving endpoing by calling this endoint. Upon receiving this POST, we will make two requests to the destination URL:

one without a signature
one with a valid “Daylight-Signature” header.

Each request will contain an example feed item, allowing you to test parsing and validation. To receive a successful response from this request, your receiving endpoint must return a non-2xx response to the invalid request and a 2xx response to the valid one.

POST

webhooks

feed

{uid}

validate

Validate Feed Webhook Destination

curl --request POST \
  --url https://api.clicker.xyz/v1/webhooks/feed/{uid}/validate \
  --header 'Authorization: Bearer <token>'

{
  "success": true,
  "error": "<string>"
}

When a webhook alert pings your server, we provide a signature to verify that the alert is coming from us. This signature should match a hash of the incoming request’s body. To perform this verification, you need:

The secret generated when first creating the webhook
The signature in the header daylight-signature
The string of the body included in the request

Example verification function

import crypto from "crypto";

export function verifyDaylightWebhookSignature({
  headerSignature,
  body,
  secret,
}: {
  headerSignature: string | null | undefined;
  body: string;
  secret: string;
}) {
  //Step 1: Extract the timestamp and signatures from the header
  // (the signature var in this case)
  const sigSplit = (headerSignature || "").split(",") || [];

  let timestamp: string | undefined = undefined;
  let signature: string | undefined = undefined;
  for (const element of sigSplit) {
    const [key, value] = element.split("=");
    if (key === "t") {
      timestamp = value;
    } else if (key === "v1") {
      signature = value;
    }
  }

  if (!signature || !timestamp) {
    throw new Error(`Missing timestamp or signature in ${signature}`);
  }

  // Step 2: Prepare the signed_payload string
  const toSign = `${timestamp}.${body}`;

  //Step 3: Determine the expected signature
  const hash = crypto
    .createHmac("sha256", secret)
    .update(toSign)
    // use base64url instead of base64 to escape equal signs
    // a header ending with an = is invalid!
    .digest("base64url");

  if (hash !== signature) {
    throw new Error(`Incorrect signature value in ${signature}`);
  }

  return true;
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

uid

string<uuid>

required

Response

200

success

boolean

required

error

string

⌘I

API Reference

Profiles

Positions

Leaderboard

Comments

Webhooks

Feed

Response Types

Validate Destination

Example verification function

Authorizations

Path Parameters

Response

API Reference

Profiles

Positions

Leaderboard

Comments

Webhooks

Feed

Response Types

Documentation Index

​Example verification function

Authorizations

Path Parameters

Response

Example verification function