Creates webhook endpoints with HMAC signature verification, idempotency checks, payload parsing, and async retry handling for Stripe, GitHub, Twilio.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin webhook-handler-creatorThis skill is limited to using the following tools:
Create secure webhook receiver endpoints with HMAC signature verification, idempotent event processing, and automatic retry handling. Support ingestion from providers like Stripe, GitHub, Twilio, and Slack with provider-specific signature validation schemes and payload parsing.
Designs secure webhook handlers with HMAC signature verification, idempotency checks, retry logic, logging, and dead letter queues for stacks like Next.js, Express, FastAPI.
Generates webhook handlers with signature verification, idempotency checks, and retry logic for Stripe, GitHub, Shopify, Twilio, and other providers. Use for third-party integrations.
Guides webhook design, inbound handling with HMAC verification and idempotency, outbound delivery with retries, circuit breakers, and dead letter queues.
Share bugs, ideas, or general feedback.
Create secure webhook receiver endpoints with HMAC signature verification, idempotent event processing, and automatic retry handling. Support ingestion from providers like Stripe, GitHub, Twilio, and Slack with provider-specific signature validation schemes and payload parsing.
express.raw(), FastAPI with Request.body())POST /webhooks/:provider) that captures the raw request body before any JSON parsing middleware runs.HMAC(raw_body, signing_secret) and comparing against the provider's signature header (X-Hub-Signature-256, Stripe-Signature, X-Twilio-Signature).evt_xxx) in Redis or a database table, rejecting duplicates with 200 OK to prevent provider retries.event.type, action, EventType) and route to the appropriate handler function using a dispatch map.See ${CLAUDE_SKILL_DIR}/references/implementation.md for the full implementation guide.
${CLAUDE_SKILL_DIR}/src/webhooks/receiver.js - Webhook endpoint with signature verification${CLAUDE_SKILL_DIR}/src/webhooks/handlers/ - Per-event-type handler functions${CLAUDE_SKILL_DIR}/src/webhooks/verify.js - HMAC signature verification utilities${CLAUDE_SKILL_DIR}/src/webhooks/idempotency.js - Duplicate event detection logic${CLAUDE_SKILL_DIR}/src/queues/webhook-processor.js - Async event processing queue worker${CLAUDE_SKILL_DIR}/tests/webhooks/ - Replay tests with recorded payloads| Error | Cause | Solution |
|---|---|---|
| 401 Signature Mismatch | HMAC verification failed against provider signature | Log the expected vs. received signature (redacted); verify signing secret rotation status |
| 400 Malformed Payload | Raw body is not valid JSON or missing required fields | Return 400 so provider marks delivery as failed; log raw body for debugging |
| 200 OK (duplicate) | Event ID already processed; idempotency guard triggered | Return 200 to prevent provider retry loops; log duplicate detection for monitoring |
| 504 Gateway Timeout | Synchronous processing exceeded provider timeout (typically 5-30s) | Move processing to async queue; respond 200 immediately upon signature verification |
| 500 Handler Exception | Business logic threw unhandled error during processing | Catch at dispatch layer; log full error with event payload; allow provider to retry |
Refer to ${CLAUDE_SKILL_DIR}/references/errors.md for comprehensive error patterns.
Stripe payment webhook: Verify Stripe-Signature header using stripe.webhooks.constructEvent(), then dispatch payment_intent.succeeded to fulfill orders and charge.refunded to process refund credits.
GitHub push webhook: Validate X-Hub-Signature-256, parse push events, extract commit list, and trigger CI/CD pipeline via queue message.
Multi-provider router: Single /webhooks/:provider endpoint that loads provider-specific signature verifier and event schema from a registry, supporting Stripe, GitHub, Twilio, and custom providers.
See ${CLAUDE_SKILL_DIR}/references/examples.md for additional examples.