Manage Keys
Rotate consumer secrets and validate every Chainhook delivery
What you'll learn
Create/rotate a Chainhook consumer secret.
Validate webhook requests by checking the header.
Prerequisites
- Hiro API key stored as
CHAINHOOKS_API_KEY. - Chainhook UUID you want to protect.
- Node.js runtime (the example uses Fastify).
Validating webhook requests with a consumer secret
Chainhooks attach an Authorization: Bearer <secret> header to every webhook attempt, giving you a simple shared-secret handshake.
- 1Rotate the secret with
await client.rotateConsumerSecret(chainhookUuid)(or the/chainhooks/{uuid}/secretAPI) whenever you need a new token. - 2Persist the returned
secretin your secret manager and reload it at process start or via a short refresh loop. - 3Reject webhook deliveries whose
Authorizationheader does not equalBearer <current-secret>.
Rotate/create consumer secret
import { ChainhooksClient, CHAINHOOKS_BASE_URL } from '@hirosystems/chainhooks-client';const client = new ChainhooksClient({baseUrl: CHAINHOOKS_BASE_URL.mainnet, // or .testnet / custom URLapiKey: process.env.CHAINHOOKS_API_KEY!,});let consumerSecret: string = await client.rotateConsumerSecret(chainhookUuid).secret;
Example Fastify server
import Fastify from 'fastify';const server = Fastify();server.post('/webhook', async (request, reply) => {if (!consumerSecret) {reply.code(503).send({ error: 'consumer secret unavailable' });return;}const authHeader = request.headers.authorization;if (authHeader !== `Bearer ${consumerSecret}`) {reply.code(401).send({ error: 'invalid consumer secret' });return;}const event = request.body;console.log(`received chainhook ${event.chainhook.uuid}`);reply.code(204).send();});await server.listen({ port: Number(process.env.PORT) || 3000 });