Skip to main content
Starbridge signs every webhook using Ed25519 asymmetric signatures, following the Standard Webhooks specification.

How it works

  1. Starbridge constructs a message by concatenating the webhook ID, timestamp, and body with dots:
  2. This message is signed with Starbridge’s private key using Ed25519.
  3. The signature is base64-encoded and sent in the webhook-signature header with a v1a, prefix.

Verification steps

To verify a webhook:
  1. Extract the headers — read webhook-id, webhook-timestamp, and webhook-signature from the request.
  2. Read the raw body — use the raw request body. Do not parse and re-serialize the JSON, as even minor formatting changes will break verification.
  3. Reconstruct the signed message:
  4. Strip the v1a, prefix from the webhook-signature header and base64-decode the remainder to get the signature bytes.
  5. Strip the whpk_ prefix from your public key and base64-decode the remainder to get the key bytes.
  6. Verify the Ed25519 signature using your language’s crypto library.

Timestamp validation

To protect against replay attacks, check that the webhook-timestamp is recent (within 5 minutes of the current time). Reject requests with timestamps that are too old.

Idempotency

Use the webhook-id header as an idempotency key. Store recently processed webhook IDs and skip any duplicates to avoid processing the same event twice.

Code examples

All examples use the following test data:
Flask example:
Install the dependency: