Implement CodeRabbit webhook signature validation and event handling. Use when setting up webhook endpoints, implementing signature verification, or handling CodeRabbit event notifications securely. Trigger with phrases like "coderabbit webhook", "coderabbit events", "coderabbit webhook signature", "handle coderabbit events", "coderabbit notifications".
View on GitHubjeremylongshore/claude-code-plugins-plus-skills
coderabbit-pack
plugins/saas-packs/coderabbit-pack/skills/coderabbit-webhooks-events/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/blob/main/plugins/saas-packs/coderabbit-pack/skills/coderabbit-webhooks-events/SKILL.md -a claude-code --skill coderabbit-webhooks-eventsInstallation paths:
.claude/skills/coderabbit-webhooks-events/# CodeRabbit Webhooks & Events
## Overview
Securely handle CodeRabbit webhooks with signature validation and replay protection.
## Prerequisites
- CodeRabbit webhook secret configured
- HTTPS endpoint accessible from internet
- Understanding of cryptographic signatures
- Redis or database for idempotency (optional)
## Webhook Endpoint Setup
### Express.js
```typescript
import express from 'express';
import crypto from 'crypto';
const app = express();
// IMPORTANT: Raw body needed for signature verification
app.post('/webhooks/coderabbit',
express.raw({ type: 'application/json' }),
async (req, res) => {
const signature = req.headers['x-coderabbit-signature'] as string;
const timestamp = req.headers['x-coderabbit-timestamp'] as string;
if (!verifyCodeRabbitSignature(req.body, signature, timestamp)) {
return res.status(401).json({ error: 'Invalid signature' });
}
const event = JSON.parse(req.body.toString());
await handleCodeRabbitEvent(event);
res.status(200).json({ received: true });
}
);
```
## Signature Verification
```typescript
function verifyCodeRabbitSignature(
payload: Buffer,
signature: string,
timestamp: string
): boolean {
const secret = process.env.CODERABBIT_WEBHOOK_SECRET!;
// Reject old timestamps (replay attack protection)
const timestampAge = Date.now() - parseInt(timestamp) * 1000;
if (timestampAge > 300000) { // 5 minutes
console.error('Webhook timestamp too old');
return false;
}
// Compute expected signature
const signedPayload = `${timestamp}.${payload.toString()}`;
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(signedPayload)
.digest('hex');
// Timing-safe comparison
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}
```
## Event Handler Pattern
```typescript
type CodeRabbitEventType = 'resource.created' | 'resource.updated' | 'resource.deleted';
interface CodeRabbitEvent