A provider pack is preconfigured inbound verification for a known provider. Hooksbase ships provider packs for Stripe, GitHub, Clerk, Slack, and Resend — five providers whose webhook signatures are validated at the relay edge before the payload reaches your endpoint.
HTTP ingest still requires the Hooksbase ingest secret first. In practice, the provider request must include Authorization: Bearer <ingest secret>, or it must pass through a thin forwarder that preserves the raw body and provider signature headers while adding the Hooksbase bearer token.
What a provider pack does
When you configure a webhook with provider: stripe (or github, clerk, slack, resend), Hooksbase:
- Validates the signature using the provider's specific scheme (Stripe's
t=...,v1=..., GitHub'sX-Hub-Signature-256, Standard Webhooks for Clerk and Resend, Slack'sv0:HMAC) - Rejects forged or stale events before persistence, so quotas and downstream resources aren't burned on bad input
- Extracts provider metadata into queryable fields:
provider.name,provider.sourceId,provider.eventType,provider.verified - Handles provider-specific quirks — e.g. Slack's URL verification challenge is answered automatically
Why this matters
Without a provider pack, you'd write the verification code yourself for every provider — roughly 50 lines per provider, plus the secret rotation, plus the signature-update story when the provider changes their scheme. With a provider pack, that's all at the relay edge.
Providers outside the pack list (Shopify, Twilio, Notion, Plaid, Jira, Polar, etc.) can still flow through Hooksbase reliably, but Hooksbase does not verify their native signatures and outbound HTTP dispatch does not forward the original provider signature headers. If you need cryptographic verification for those providers, verify them in a small pre-ingest forwarder, then post the verified payload to Hooksbase with the bearer ingest secret. The relay's other reliability primitives (retries, replay, DLQ, delivery history) apply after the event is accepted.
For the practical setup: Verify provider webhooks.
Related terms
- Webhook
An HTTP request one service sends to another to notify it that something happened.
Read - HMAC
Hash-based Message Authentication Code — proves a message came from someone who knows a shared secret and was not modified.
Read - Attempt
One HTTP request within a delivery's retry chain.
Read - Bulk replay (re-drive)
Replaying or DLQ-re-driving many deliveries from a selection in one operation.
Read