Receive real-time notifications when connections are created, updated, or deleted
Webhooks let you receive real-time notifications when events occur in Lava, such as new connections being created, wallet balances changing, or connections being deleted.
Webhooks provide reliable backend processing. While frontend callbacks offer instant UX feedback, webhooks ensure events are processed even when users close tabs or lose network connection.
Create an API route to receive webhook events. Lava signs every request with HMAC SHA-256 via the X-Webhook-Signature header — always verify this before processing.
Always verify signatures. Without verification, malicious actors could send fake events to grant unauthorized access, trigger false balance alerts, or simulate deletions.
Next.js
Express
app/api/webhooks/lava/route.ts
Copy
Ask AI
import { NextRequest, NextResponse } from 'next/server';import crypto, { timingSafeEqual } from 'crypto';export async function POST(req: NextRequest) { const body = await req.text(); const signature = req.headers.get('X-Webhook-Signature'); if (!signature || !verifySignature(body, signature)) { return NextResponse.json({ error: 'Invalid signature' }, { status: 401 }); } const payload = JSON.parse(body); // Return 200 quickly, process in background handleWebhookEvent(payload).catch(console.error); return NextResponse.json({ received: true });}function verifySignature(body: string, signature: string): boolean { const expected = crypto .createHmac('sha256', process.env.LAVA_WEBHOOK_SECRET!) .update(body) .digest('hex'); const sigBuf = Buffer.from(signature, 'hex'); const expBuf = Buffer.from(expected, 'hex'); return sigBuf.length === expBuf.length && timingSafeEqual(sigBuf, expBuf);}async function handleWebhookEvent(payload: { event: string; data: any }) { switch (payload.event) { case 'connection.created': // Store connection_id, send welcome email, enable access break; case 'connection.wallet.balance.updated': // Check has_lava_credit_balance, notify on low balance break; case 'connection.deleted': // Revoke access, clean up connection_id break; }}
Webhooks are delivered once with a 10-second timeout. Return 200 immediately and process asynchronously to avoid timeouts. Implement idempotency using connection_id to handle any duplicate deliveries gracefully.