Build your Webhook Relay with AI in under 5 minutes

Build a Pipedream-style webhook receiver with HMAC-SHA256 signature verification, replay-window protection, body-size caps, multi-vendor signature header support (Stripe / GitHub / generic), and a deliveries dashboard — generated from a single prompt.

工作原理

步骤 1

描述您的想法

用纯文本提示描述您想要的内容。

步骤 2

AI 为您构建

FloopFloop 即时生成生产就绪的代码。

步骤 3

部署并上线

您的项目在几分钟内托管到专属子域名。

为什么选择 AI 构建而非雇佣开发者?

FloopFloop传统开发者
上线时间5 分钟以内2 至 8 周
费用低至 $0$5,000 - $50,000+
维护已包含持续外包费用

试试这些提示词

复制以下任意提示词,粘贴到 FloopFloop 即可开始构建。

Build a webhook ingest endpoint that authenticates incoming Stripe webhooks. Verify the `stripe-signature` header against the WEBHOOK_SECRET env var with HMAC-SHA256 + a 5-minute replay window. Cap the body at 1MB before JSON.parse. Persist every successful delivery to a `webhook_events` table with the event type, body, and received-at timestamp; the dashboard shows them in reverse-chronological order.

Create a multi-vendor webhook receiver. Accept Stripe (`stripe-signature`), GitHub (`x-hub-signature-256`), and generic (`x-webhook-signature`) header conventions; auto-detect which by header presence and use the matching HMAC algorithm. Per-vendor WEBHOOK_SECRET via separate env vars so a leak of one doesn't compromise the others.

Design a webhook fan-out relay. Single inbound endpoint receives the event, then fans out to 3 configured downstream URLs (your dev environment, your prod environment, your analytics service). Per-destination retry-with-exponential-backoff on 5xx responses. Delivery log shows the outcome of each fan-out leg.

Build a low-friction webhook ingest that's open by default (no signature required) so the operator can wire a sender quickly during local dev, but fails CLOSED in production with a 503 + actionable error message if WEBHOOK_SECRET is unset. Dev mode emits a console.warn on every unsigned delivery so the operator notices before shipping.

常见问题

How does signature verification work?
HMAC-SHA256 over the raw request body (or `timestamp.body` when a timestamp header is present, the Stripe convention). Constant-time compare so an attacker can't time-discriminate which byte of the signature was wrong. Three vendor header conventions auto-detected: `x-webhook-signature`, `x-hub-signature-256`, `stripe-signature`.
What stops replay attacks?
When the sender includes a timestamp header (`x-webhook-timestamp` or `stripe-timestamp`), the verifier rejects deliveries with a timestamp older than the replay window (default: 5 minutes). The timestamp is bound into the HMAC payload so an attacker can't just rewrite it. Senders without a timestamp header fall through to body-only HMAC — replay protection requires the timestamp.
Will it fail closed if I forget to set WEBHOOK_SECRET?
Yes in production — the iter-82 hardening landed exactly this fix. With NODE_ENV=production and an unset WEBHOOK_SECRET, the POST handler returns 503 with an actionable error pointing at Project Settings → Secrets. In dev / preview the route still accepts unsigned requests (it's useful while wiring up a sender) but emits a console.warn on every delivery so the operator notices before promoting to production.
How big can a webhook payload be?
Default cap is 1MB, checked via `content-length` header AND a streaming-reader byte count (so a hostile client lying about its length can't slip through). Caps before JSON.parse so a 100MB-of-nested-arrays payload can't burn Lambda memory.
Where do the delivered events get persisted?
The default template inserts every successful delivery into a `webhook_events` table (id, vendor, event_type, body jsonb, received_at). For high-volume webhooks refine with 'partition the table by month + drop partitions older than 90 days via a daily cron'.
Can it fan out to multiple destinations?
Default ships single-destination (just persist). For fan-out refine with 'add a webhook_destinations config table + per-event POST to every active destination URL with retry-on-5xx using exponential backoff (1s, 2s, 4s, 8s, capped at 4 retries)'. Pipedream charges per outbound delivery; FloopFloop's runs on your own Lambda.
How is it different from /api/webhooks/stripe in the FloopFloop monorepo?
That's the receiver for FloopFloop's own Stripe billing webhooks — fixed to Stripe, fixed to the FloopFloop pricing tables. The webhook-relay template is general-purpose: any vendor, any consumer schema, any backing table. Use it for your project's webhook ingest, not for FloopFloop platform events.

相关构建类别

探索更多类别

URL Shortener API

Build a Bitly-style URL shortener with a JSON POST /shorten endpoint, custom aliases, optional expiry dates, click counters, and a redirect handler — generated from a single prompt.

SaaS Analytics Dashboard

Build a SaaS analytics dashboard with MRR tracking, churn metrics, cohort analysis, and user funnels — generated entirely by AI.

Admin Panel

Build a powerful admin panel with user management, data tables, role-based access, and system configuration — all generated from a prompt.

Marketing Site

Build a multi-page marketing website with feature sections, pricing tables, team pages, and conversion-optimized CTAs — powered by AI.

Membership Site

Launch a paid membership site with gated content, recurring subscriptions, member-only pages, and a clean login portal — generated by AI in minutes.

准备好开始构建了吗?

立即开始构建您的项目——无需编写代码。

开始构建