playbooks

home / skills / jeremylongshore / claude-code-plugins-plus-skills / vercel-webhooks-events

vercel-webhooks-events skill

/plugins/saas-packs/vercel-pack/skills/vercel-webhooks-events

This skill helps you implement secure Vercel webhook endpoints with signature verification and idempotent event handling for reliable deployments.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill vercel-webhooks-events

Review the files below or copy the command above to add this skill to your agents.

Files (5)
SKILL.md
1.5 KB
---
name: vercel-webhooks-events
description: |
  Implement Vercel webhook signature validation and event handling.
  Use when setting up webhook endpoints, implementing signature verification,
  or handling Vercel event notifications securely.
  Trigger with phrases like "vercel webhook", "vercel events",
  "vercel webhook signature", "handle vercel events", "vercel notifications".
allowed-tools: Read, Write, Edit, Bash(curl:*)
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Vercel Webhooks Events

## Prerequisites
- Vercel webhook secret configured
- HTTPS endpoint accessible from internet
- Understanding of cryptographic signatures
- Redis or database for idempotency (optional)

## Instructions

### Step 1: Register Webhook Endpoint
Configure your webhook URL in the Vercel dashboard.

### Step 2: Implement Signature Verification
Use the signature verification code to validate incoming webhooks.

### Step 3: Handle Events
Implement handlers for each event type your application needs.

### Step 4: Add Idempotency
Prevent duplicate processing with event ID tracking.

## Output
- Secure webhook endpoint
- Signature validation enabled
- Event handlers implemented
- Replay attack protection active

## Error Handling

See `{baseDir}/references/errors.md` for comprehensive error handling.

## Examples

See `{baseDir}/references/examples.md` for detailed examples.

## Resources
- [Vercel Webhooks Guide](https://vercel.com/docs/webhooks)
- [Webhook Security Best Practices](https://vercel.com/docs/webhooks/security)

Overview

This skill implements Vercel webhook signature validation and structured event handling to secure incoming notifications. It provides a clear workflow for registering endpoints, verifying HMAC signatures, and processing events with replay protection and idempotency. The goal is a production-ready webhook receiver that resists tampering and duplicate processing.

How this skill works

The skill verifies each incoming request by computing an HMAC using the configured Vercel webhook secret and comparing it to the signature header supplied by Vercel. Validated requests are parsed for their event type and routed to registered handlers. Optionally, event IDs are recorded in a datastore (Redis or any DB) to enforce idempotency and prevent replay attacks.

When to use it

  • Setting up a secure webhook endpoint to receive Vercel notifications
  • Validating Vercel webhook signatures before processing payloads
  • Routing different Vercel event types to dedicated handlers
  • Preventing duplicate processing of webhook events in production
  • Implementing automated workflows triggered by Vercel events

Best practices

  • Store your Vercel webhook secret securely (env variable or secrets manager)
  • Always verify the HMAC signature before any business logic runs
  • Record event IDs in a datastore to ensure idempotent processing
  • Respond quickly with 2xx on successful validation and queue heavy work
  • Log validation failures and rate-limit repeated invalid attempts

Example use cases

  • Trigger CI/CD steps when a deployment event arrives, validated by signature
  • Send Slack notifications for deployment success/fail events after verification
  • Auto-scale or warm services based on Vercel build and deployment webhooks
  • Maintain an audit log of validated Vercel events with event IDs
  • Integrate Vercel events into ticketing or observability systems reliably

FAQ

What header contains the Vercel signature?

Vercel supplies a signature header you must compare against an HMAC computed with your webhook secret; consult Vercel docs for the exact header name used by your integration.

How do I prevent processing the same event twice?

Store each incoming event ID in a datastore (Redis or DB) and skip processing if the ID is already present; set reasonable TTLs to bound storage.