Webhooks demo

Webhook Events

Coal sends HMAC-SHA256 signed events to your endpoint. Register this URL in your dashboard and complete a checkout to see live events.

Event feed0 events
🔔

No events yet. Click "Listen" then send a test or complete a checkout.

Signature Verification

HMAC-SHA256 — verify every event server-side

import crypto from 'crypto';

export function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler:
const sig = req.headers['x-coal-signature'];
const raw = await req.text();
if (!verifyWebhookSignature(raw, sig, process.env.COAL_WEBHOOK_SECRET)) {
  return Response.json({ error: 'Invalid signature' }, { status: 401 });
}