For quick Supabase webhook setup, refer to https://docs.val.town/integrations/supabase.

You can hard-code a secret as a webhook header for good-enough auth as outlined in those docs^. This example takes security a step further with full signature verification.

1. Generate a high entropy secret key like caffeinated-carpet-blunder-tournament and add it both to your val's environment variables and Supabase vault:

2. Go to Supabase database functions and create a function to generate a signature:

DECLARE
  hmac_result bytea;
BEGIN
  hmac_result := hmac(message::bytea, secret_key::bytea, 'sha256');
  RETURN encode(hmac_result, 'base64');
END;

3. Create another database function in Supabase to create the signed webhook:

DECLARE
  url text;
  secret text;
  payload jsonb;
  request_id bigint;
  signature text;
BEGIN
  -- Get the webhook secret from the vault
  SELECT decrypted_secret INTO secret FROM vault.decrypted_secrets WHERE name = 'VAL_TOWN_WEBHOOK_SECRET' LIMIT 1;

  -- Generate the payload
  payload = jsonb_build_object(
    'old_record', old,
    'record', new,
    'type', tg_op,
    'table', tg_table_name,
    'schema', tg_table_schema
  );

  -- Generate the signature
  signature = generate_hmac(secret, payload::text);

  -- Send the webhook request
  SELECT http_post
  INTO request_id
  FROM
    net.http_post(
      'https://TODO', -- 👋 Copy-paste your val's HTTP URL here!
      payload,
      '{}',
      jsonb_build_object(
        'Content-Type', 'application/json',
        'X-Supabase-Signature', signature
      ),
      '5000'
    );

  -- Insert the request ID into the Supabase hooks table
  INSERT INTO supabase_functions.hooks
    (hook_table_id, hook_name, request_id)
  VALUES (tg_relid, tg_name, request_id);

  RETURN new;
END;

4. Create a Supabase database trigger to call the webhook function:

5. Copy or remix this val to receive webhooks and verify the signature you just set up in Supabase