Receive real-time notifications when customers are created, updated, or deleted
Webhooks let you receive real-time notifications when events occur in Lava, such as new customers being created, wallet balances changing, or customers being deleted.
Webhooks provide reliable backend processing. While frontend callbacks offer instant UX feedback, webhooks ensure events are processed even when users close tabs or lose network connection.
Create an API route to receive webhook events. Lava signs every request with HMAC SHA-256 via the X-Webhook-Signature header — always verify this before processing.
Always verify signatures. Without verification, malicious actors could send fake events to grant unauthorized access, trigger false balance alerts, or simulate deletions.
Next.js
Express
app/api/webhooks/lava/route.ts
Copy
Ask AI
import { NextRequest, NextResponse } from 'next/server';import crypto, { timingSafeEqual } from 'crypto';export async function POST(req: NextRequest) { const body = await req.text(); const signature = req.headers.get('X-Webhook-Signature'); if (!signature || !verifySignature(body, signature)) { return NextResponse.json({ error: 'Invalid signature' }, { status: 401 }); } const payload = JSON.parse(body); // Return 200 quickly, process in background handleWebhookEvent(payload).catch(console.error); return NextResponse.json({ received: true });}function verifySignature(body: string, signature: string): boolean { const expected = crypto .createHmac('sha256', process.env.LAVA_WEBHOOK_SECRET!) .update(body) .digest('hex'); const sigBuf = Buffer.from(signature, 'hex'); const expBuf = Buffer.from(expected, 'hex'); return sigBuf.length === expBuf.length && timingSafeEqual(sigBuf, expBuf);}async function handleWebhookEvent(payload: { event: string; data: any }) { switch (payload.event) { case 'customer.created': // Store customer_id, send welcome email, enable access break; case 'customer.wallet.balance.updated': // Check subscription credits, notify on low balance break; case 'customer.deleted': // Revoke access, clean up customer_id break; }}
Webhooks are delivered once with a 10-second timeout. Return 200 immediately and process asynchronously to avoid timeouts. Implement idempotency using customer_id to handle any duplicate deliveries gracefully.