Build your Webhook Relay with AI in under 5 minutes

Build a Pipedream-style webhook receiver with HMAC-SHA256 signature verification, replay-window protection, body-size caps, multi-vendor signature header support (Stripe / GitHub / generic), and a deliveries dashboard — generated from a single prompt.

작동 방식

단계 1

아이디어를 설명하세요

원하는 것을 일반 텍스트 프롬프트로 작성하세요.

단계 2

AI가 빌드합니다

FloopFloop이 즉시 프로덕션 수준의 코드를 생성합니다.

단계 3

배포 및 라이브 공개

프로젝트가 몇 분 안에 자체 서브도메인에 호스팅됩니다.

개발자 고용 대신 AI로 빌드해야 하는 이유는?

FloopFloop기존 개발자
출시 소요 시간5분 이내2~8주
비용$0부터$5,000 - $50,000+
유지 관리포함지속적인 유지보수 계약

이 프롬프트를 사용해 보세요

아래 프롬프트를 복사하여 FloopFloop에 붙여넣고 시작하세요.

Build a webhook ingest endpoint that authenticates incoming Stripe webhooks. Verify the `stripe-signature` header against the WEBHOOK_SECRET env var with HMAC-SHA256 + a 5-minute replay window. Cap the body at 1MB before JSON.parse. Persist every successful delivery to a `webhook_events` table with the event type, body, and received-at timestamp; the dashboard shows them in reverse-chronological order.

Create a multi-vendor webhook receiver. Accept Stripe (`stripe-signature`), GitHub (`x-hub-signature-256`), and generic (`x-webhook-signature`) header conventions; auto-detect which by header presence and use the matching HMAC algorithm. Per-vendor WEBHOOK_SECRET via separate env vars so a leak of one doesn't compromise the others.

Design a webhook fan-out relay. Single inbound endpoint receives the event, then fans out to 3 configured downstream URLs (your dev environment, your prod environment, your analytics service). Per-destination retry-with-exponential-backoff on 5xx responses. Delivery log shows the outcome of each fan-out leg.

Build a low-friction webhook ingest that's open by default (no signature required) so the operator can wire a sender quickly during local dev, but fails CLOSED in production with a 503 + actionable error message if WEBHOOK_SECRET is unset. Dev mode emits a console.warn on every unsigned delivery so the operator notices before shipping.

자주 묻는 질문

How does signature verification work?
HMAC-SHA256 over the raw request body (or `timestamp.body` when a timestamp header is present, the Stripe convention). Constant-time compare so an attacker can't time-discriminate which byte of the signature was wrong. Three vendor header conventions auto-detected: `x-webhook-signature`, `x-hub-signature-256`, `stripe-signature`.
What stops replay attacks?
When the sender includes a timestamp header (`x-webhook-timestamp` or `stripe-timestamp`), the verifier rejects deliveries with a timestamp older than the replay window (default: 5 minutes). The timestamp is bound into the HMAC payload so an attacker can't just rewrite it. Senders without a timestamp header fall through to body-only HMAC — replay protection requires the timestamp.
Will it fail closed if I forget to set WEBHOOK_SECRET?
Yes in production — the iter-82 hardening landed exactly this fix. With NODE_ENV=production and an unset WEBHOOK_SECRET, the POST handler returns 503 with an actionable error pointing at Project Settings → Secrets. In dev / preview the route still accepts unsigned requests (it's useful while wiring up a sender) but emits a console.warn on every delivery so the operator notices before promoting to production.
How big can a webhook payload be?
Default cap is 1MB, checked via `content-length` header AND a streaming-reader byte count (so a hostile client lying about its length can't slip through). Caps before JSON.parse so a 100MB-of-nested-arrays payload can't burn Lambda memory.
Where do the delivered events get persisted?
The default template inserts every successful delivery into a `webhook_events` table (id, vendor, event_type, body jsonb, received_at). For high-volume webhooks refine with 'partition the table by month + drop partitions older than 90 days via a daily cron'.
Can it fan out to multiple destinations?
Default ships single-destination (just persist). For fan-out refine with 'add a webhook_destinations config table + per-event POST to every active destination URL with retry-on-5xx using exponential backoff (1s, 2s, 4s, 8s, capped at 4 retries)'. Pipedream charges per outbound delivery; FloopFloop's runs on your own Lambda.
How is it different from /api/webhooks/stripe in the FloopFloop monorepo?
That's the receiver for FloopFloop's own Stripe billing webhooks — fixed to Stripe, fixed to the FloopFloop pricing tables. The webhook-relay template is general-purpose: any vendor, any consumer schema, any backing table. Use it for your project's webhook ingest, not for FloopFloop platform events.

관련 빌더

더 많은 카테고리 탐색

URL Shortener API

Build a Bitly-style URL shortener with a JSON POST /shorten endpoint, custom aliases, optional expiry dates, click counters, and a redirect handler — generated from a single prompt.

SaaS Analytics Dashboard

Build a SaaS analytics dashboard with MRR tracking, churn metrics, cohort analysis, and user funnels — generated entirely by AI.

Admin Panel

Build a powerful admin panel with user management, data tables, role-based access, and system configuration — all generated from a prompt.

Marketing Site

Build a multi-page marketing website with feature sections, pricing tables, team pages, and conversion-optimized CTAs — powered by AI.

Membership Site

Launch a paid membership site with gated content, recurring subscriptions, member-only pages, and a clean login portal — generated by AI in minutes.

빌드할 준비가 되셨나요?

지금 바로 프로젝트 빌드를 시작하세요 — 코딩이 필요하지 않습니다.

빌드 시작하기