Build your first webhook handler in 5 minutes.
Mint a key, register a webhook URL, verify the HMAC signature, ship a Slack notification when one of your packs gets installed. Working Node.js + Python code, copy-paste ready. Uses the public OpenAPI spec at /api/openapi.
What you’ll build
By the end of this you'll have a webhook endpoint that:
- Receives an HTTP POST every time someone installs one of your packs
- Verifies the request actually came from The Platform via HMAC-SHA256
- Posts a Slack notification to your team channel: “{buyer email} just installed {pack name}”
Setup time: about 5 minutes if you have a Slack incoming webhook URL handy.
1. Mint a key
Open /dashboard/creator/keys and click Mint key. Pick scopes — write:webhooks is the only one you need for this. The plaintext key shows once; copy it immediately.
Now register your webhook URL. The dashboard has a UI at /dashboard/creator/webhooks — or via the API:
The response includes a signing_secret. Save it the same way as your API key.
2. Verify the HMAC
Every webhook request carries an X-Platform-Signature header — the HMAC-SHA256 of the raw body using your signing_secret. Verifying it on receipt is one line.
Node.js (with the body as raw Buffer — not parsed JSON):
Python:
Both use constant-time comparison — timingSafeEqual in Node, compare_digest in Python — so the signature check doesn't leak timing info.
3. Wire Slack
Get a Slack incoming webhook URL from api.slack.com/apps → your app → Incoming webhooks. Should look like https://hooks.slack.com/services/T0000/B0000/xxxx. Drop it in an env var.
The full handler — receives webhook, verifies signature, posts notification:
What’s next
You just shipped a working webhook handler. From here:
- Add more event types.
install.canceled,usage.metered.daily,payout.released,payout.paid,review.posted,skill.errorare all available. Full list in the OpenAPI spec. - Read installs + usage directly.
GET /api/v1/installsandGET /api/v1/usageare cursor-paginated reads. Same Bearer auth. - Set up retries. If you return a non-2xx, we retry with exponential backoff up to 7 attempts before sending to your DLQ.
Full reference at /docs/api. Source for the spec at /api/openapi. Questions go to /contact.
Subscribe to the feed.
Every new post + every changelog entry + every roadmap update. One RSS subscription, everything we ship.