Manage Keys

Rotate consumer secrets and validate every Chainhook delivery

What you'll learn

Create/rotate a Chainhook consumer secret.
Validate webhook requests by checking the header.

Prerequisites

  • Hiro API key
  • Node.js (server example uses Fastify).

Validating webhook requests with a consumer secret

When you create a secret, our Chainhook service attaches an Authorization: Bearer <secret> header to every webhook attempt, giving you a simple shared-secret handshake. Here's how to get started:

  1. 1Rotate the secret with rotateConsumerSecret (or the /chainhooks/{uuid}/secret API) whenever you need to initialize or create a new token.
  2. 2Reject webhook deliveries whose Authorization header does not equal Bearer <current-secret>.

Create/rotate consumer secret

server.ts
import { ChainhooksClient, CHAINHOOKS_BASE_URL } from '@hirosystems/chainhooks-client';



const client = new ChainhooksClient({

  baseUrl: CHAINHOOKS_BASE_URL.mainnet, // or .testnet / custom URL

  apiKey: process.env.HIRO_API_KEY!,

});



// Store this value securely and use it to validate webhook requests

const secret = await client.rotateConsumerSecret(chainhookUuid).secret;

Example Fastify server

1
import Fastify from 'fastify';

2


3
const server = Fastify();

4


5
server.post('/webhook', async (request, reply) => {

6
  if (!secret) {

7
    reply.code(503).send({ error: 'consumer secret unavailable' });

8
    return;

9
  }

10


11
  const authHeader = request.headers.authorization;

12
  if (authHeader !== `Bearer ${secret}`) {

13
    reply.code(401).send({ error: 'invalid consumer secret' });

14
    return;

15
  }

16


17
  const event = request.body;

18
  console.log(`received chainhook ${event.chainhook.uuid}`);

19
  reply.code(204).send();

20
});

21


22
await server.listen({ port: Number(process.env.PORT) || 3000 });

How is this guide?

Contents

What you'll learnPrerequisitesValidating webhook requests with a consumer secretCreate/rotate consumer secretExample Fastify server