With webhooks, you can set up a notification system that Onboardbase will use to send you updates on certain request that you make to our APIs.

Creating a Webhook URL

Your webhook URL has to be a POST endpoint that Onboardbase can send updates to. We will be sending updates in JSON format, that means that the endpoint needs to parse the JSON request. The endpoint should also return a 200 OK response to acknowledge receiving the updates.

Types of events

We currently raise the following events, the list will continue to grow as we extend our webhook functionality.

Event	Description
ENVIRONMENT_UPDATED	An environment's name was updated
SECRETS_UPDATED	A secret stored on Onboardbase has been updated
SECRETS_CREATED	A new secret was added, we include the ID of the new secret in the payload
SECRETS_DELETED	A secret was deleted, we include the ID of the affected secret in the payload
SECRETS_UPSERTED	A secret was added or updated from one of our integrations: Vercel, Netlify, Heroku

Supported Events

{
  "team": { "name": "Docmini" },
  "project": {
    "name": "dockerized-nodejs-application",
    "description": "A simple dockerized Application",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  "environment": {
    "title": "development",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  "eventType": "ENVIRONMENT_UPDATED"
}

{
  "team": {
    "name": "Docmini"
  },
  "project": {
    "name": "dockerized-nodejs-application",
    "description": "A simple dockerized Application",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  "environment": {
    "title": "development",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  secretIds: ["id1"],
  "eventType": "SECRETS_UPDATED"
}

{
  "team": {
    "name": "Docmini"
  },
  "project": {
    "name": "dockerized-nodejs-application",
    "description": "A simple dockerized Application",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  "environment": {
    "title": "development",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  secretIds: ["id1"],
  "eventType": "SECRETS_CREATED"
}

{
  "team": {
    "name": "Docmini"
  },
  "project": {
    "name": "dockerized-nodejs-application",
    "description": "A simple dockerized Application",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  "environment": {
    "title": "development",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  secretIds: ["id1"],
  "eventType": "SECRETS_DELETED"
}

{
  "team": {
    "name": "Docmini"
  },
  "project": {
    "name": "dockerized-nodejs-application",
    "description": "A simple dockerized Application",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  "environment": {
    "title": "development",
    "createdAt": "2023-03-28T06:29:12.611Z"
  },
  secretIds: ["id1", "id2"],
  "eventType": "SECRETS_UPSERTED"
}

Verifying Webhook Signatures

You can verify the events that Onboardbase sends to your webhook endpoints. Alongside the event body we send, we also include a x-onboardbase-signature Header in the webhook events.

A HMAC SHA512 signature of the event payload signed with your Signing Secret is the value of this header. Before processing any event, the header signature should be checked.

const express = require("express");
const crypto = require("crypto");
const app = express();
app.use(express.json());

function GenerateSignature(secret, body) {
    const stringifyBody = JSON.stringify(body);
    return crypto
      .createHmac('sha512', secret)
      .update(stringifyBody)
      .digest('hex');
}

const signingSecret = process.env.SIGNING_SECRET;
app.post("/webhook", async (req, res) => {
  const signature = req.headers["x-onboardbase-signature"];
  const generatedSignature = GenerateSignature(signingSecret, req.body);
  // check that the signature is valid before processing the event
  if(signature === generatedSignature) {
    // process the webhook event
  }
  res.json({
    status: "success",
    message: "Webhook received",
  });
});

const port = process.env.PORT
app.listen(port, () => {
  console.log(`Webhook listening on port ${port}`);
});

How to Get Your Signing Secret

The signing secret depends on how the webhook was created. If the webhook is tied to an Oauth Client i.e the webhook was created via our Public API and you are getting the webhook on behalf of a user via an Oauth Client. The signing secret in this case is the Client Secret of the Oauth Client.

If the webhook isn't tied to any Oauth Client, then the signing secret will be the value of the Signing Secret on your Onboardbase profile. You will find this by clicking on your avatar on the top right and selecting Manage your account