Public
Like
Val Town is a collaborative website to build and scale JavaScript apps.
Deploy APIs, crons, & store data – all from the browser, and deployed in milliseconds.
For quick Supabase webhook setup, refer to https://docs.val.town/integrations/supabase.
You can hard-code a secret as a webhook header for good-enough auth as outlined in those docs^. This example takes security a step further with full signature verification.
- Generate a high entropy secret key like
caffeinated-carpet-blunder-tournamentand add it both to your val's environment variables and Supabase vault:
- Go to Supabase database functions and create a function to generate a signature:
DECLARE hmac_result bytea; BEGIN hmac_result := hmac(message::bytea, secret_key::bytea, 'sha256'); RETURN encode(hmac_result, 'base64'); END;
- Create another database function in Supabase to create the signed webhook:
DECLARE url text; secret text; payload jsonb; request_id bigint; signature text; BEGIN -- Get the webhook secret from the vault SELECT decrypted_secret INTO secret FROM vault.decrypted_secrets WHERE name = 'VAL_TOWN_WEBHOOK_SECRET' LIMIT 1; -- Generate the payload payload = jsonb_build_object( 'old_record', old, 'record', new, 'type', tg_op, 'table', tg_table_name, 'schema', tg_table_schema ); -- Generate the signature signature = generate_hmac(secret, payload::text); -- Send the webhook request SELECT http_post INTO request_id FROM net.http_post( 'https://TODO', -- 👋 Copy-paste your val's HTTP URL here! payload, '{}', jsonb_build_object( 'Content-Type', 'application/json', 'X-Supabase-Signature', signature ), '5000' ); -- Insert the request ID into the Supabase hooks table INSERT INTO supabase_functions.hooks (hook_table_id, hook_name, request_id) VALUES (tg_relid, tg_name, request_id); RETURN new; END;
- Create a Supabase database trigger to call the webhook function:
- Copy or remix this val to receive webhooks and verify the signature you just set up in Supabase