# Send Hookflo Webhooks to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "hookflo-tern", "name": "Hookflo Webhooks", "source": "tencent", "type": "skill", "category": "效率提升", "sourceUrl": "https://clawhub.ai/Prateek32177/hookflo-tern", "canonicalUrl": "https://clawhub.ai/Prateek32177/hookflo-tern", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/hookflo-tern", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=hookflo-tern", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "evals/evals.json" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "slug": "hookflo-tern", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T04:41:39.971Z", "expiresAt": "2026-05-07T04:41:39.971Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=hookflo-tern", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=hookflo-tern", "contentDisposition": "attachment; filename=\"hookflo-tern-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "hookflo-tern" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/hookflo-tern" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/hookflo-tern", "downloadUrl": "https://openagent3.xyz/downloads/hookflo-tern", "agentUrl": "https://openagent3.xyz/skills/hookflo-tern/agent", "manifestUrl": "https://openagent3.xyz/skills/hookflo-tern/agent.json", "briefUrl": "https://openagent3.xyz/skills/hookflo-tern/agent.md" } } ``` ## Documentation ### Hookflo + Tern Webhook Skill This skill covers two tightly related tools in the Hookflo ecosystem: Tern (@hookflo/tern) — an open-source, zero-dependency TypeScript library for verifying webhook signatures. Algorithm-agnostic, supports all major platforms. Hookflo — a hosted webhook event alerting and logging platform. Sends real-time Slack/email alerts when webhooks fire. No code required on their end; you point your provider at Hookflo's URL and configure alerts in the dashboard. ### Mental Model Incoming Webhook Request │ ▼ [Tern] verify signature ←── your server/edge function │ isValid? │ yes │ no │──────► 400 / reject │ ▼ process payload │ (optionally forward to) ▼ [Hookflo] alert + log Slack / Email / Dashboard Use Tern when you need programmatic signature verification in your own code. Use Hookflo when you want no-code / low-code alerting and centralized event logs. They can be used together or independently. ### Installation npm install @hookflo/tern No other dependencies required. Full TypeScript support. ### Core API WebhookVerificationService.verify(request, config) The primary method. Returns a WebhookVerificationResult. import { WebhookVerificationService } from '@hookflo/tern'; const result = await WebhookVerificationService.verify(request, { platform: 'stripe', secret: process.env.STRIPE_WEBHOOK_SECRET!, toleranceInSeconds: 300, // replay attack protection window (optional, default 300) }); if (result.isValid) { console.log('Verified payload:', result.payload); console.log('Metadata:', result.metadata); // timestamp, id, etc. } else { console.error('Rejected:', result.error); // return 400 } WebhookVerificationService.verifyWithPlatformConfig(request, platform, secret, tolerance?) Shorthand that accepts just a platform name + secret. const result = await WebhookVerificationService.verifyWithPlatformConfig( request, 'github', process.env.GITHUB_WEBHOOK_SECRET! ); WebhookVerificationService.verifyTokenBased(request, webhookId, webhookToken) For token-based platforms (Supabase, GitLab). const result = await WebhookVerificationService.verifyTokenBased( request, process.env.SUPABASE_WEBHOOK_ID!, process.env.SUPABASE_WEBHOOK_TOKEN! ); ### WebhookVerificationResult type interface WebhookVerificationResult { isValid: boolean; error?: string; platform: WebhookPlatform; payload?: any; // parsed JSON body metadata?: { timestamp?: string; id?: string | null; [key: string]: any; }; } ### Built-in Platform Configs PlatformAlgorithmSignature HeaderFormatstripeHMAC-SHA256stripe-signaturet={ts},v1={sig}githubHMAC-SHA256x-hub-signature-256sha256={sig}clerkHMAC-SHA256 (base64)svix-signaturev1,{sig}supabaseToken-basedcustom—gitlabToken-basedx-gitlab-token—shopifyHMAC-SHA256x-shopify-hmac-sha256rawvercelHMAC-SHA256custom—polarHMAC-SHA256custom—dodoHMAC-SHA256 (svix)webhook-signaturev1,{sig} Always use the lowercase string name (e.g., 'stripe', 'github'). ### Custom Platform Configuration For any provider not in the list, supply a full signatureConfig: import { WebhookVerificationService } from '@hookflo/tern'; // Standard HMAC-SHA256 with prefix const result = await WebhookVerificationService.verify(request, { platform: 'acmepay', secret: 'your_secret', signatureConfig: { algorithm: 'hmac-sha256', headerName: 'x-acme-signature', headerFormat: 'prefixed', prefix: 'sha256=', payloadFormat: 'raw', }, }); // Timestamped payload (signs "{timestamp}.{body}") const result2 = await WebhookVerificationService.verify(request, { platform: 'mypay', secret: 'your_secret', signatureConfig: { algorithm: 'hmac-sha256', headerName: 'x-webhook-signature', headerFormat: 'raw', timestampHeader: 'x-webhook-timestamp', timestampFormat: 'unix', payloadFormat: 'timestamped', }, }); // Svix/StandardWebhooks compatible (Clerk, Dodo, etc.) const result3 = await WebhookVerificationService.verify(request, { platform: 'my-svix-platform', secret: 'whsec_abc123...', signatureConfig: { algorithm: 'hmac-sha256', headerName: 'webhook-signature', headerFormat: 'raw', timestampHeader: 'webhook-timestamp', timestampFormat: 'unix', payloadFormat: 'custom', customConfig: { payloadFormat: '{id}.{timestamp}.{body}', idHeader: 'webhook-id', }, }, }); SignatureConfig fields: algorithm: 'hmac-sha256' | 'hmac-sha1' | 'hmac-sha512' | custom headerName: the HTTP header that carries the signature headerFormat: 'raw' | 'prefixed' | 'comma-separated' | 'space-separated' prefix: string prefix to strip before comparing (e.g. 'sha256=') timestampHeader: header name for the timestamp (if any) timestampFormat: 'unix' | 'iso' | 'ms' payloadFormat: 'raw' | 'timestamped' | 'custom' customConfig.payloadFormat: template like '{id}.{timestamp}.{body}' customConfig.idHeader: header supplying the {id} value customConfig.encoding: 'base64' if the provider base64-encodes the key ### Framework Integration Express.js import express from 'express'; import { WebhookVerificationService } from '@hookflo/tern'; const app = express(); // IMPORTANT: use raw body parser for webhook routes app.post( '/webhooks/stripe', express.raw({ type: 'application/json' }), async (req, res) => { const result = await WebhookVerificationService.verifyWithPlatformConfig( req, 'stripe', process.env.STRIPE_WEBHOOK_SECRET! ); if (!result.isValid) { return res.status(400).json({ error: result.error }); } const event = result.payload; // handle event.type, e.g. 'payment_intent.succeeded' res.json({ received: true }); } ); Common mistake: Express's default json() middleware consumes and re-serializes the body, breaking HMAC. Always use express.raw() on webhook endpoints. Next.js App Router (Route Handler) // app/api/webhooks/github/route.ts import { NextRequest, NextResponse } from 'next/server'; import { WebhookVerificationService } from '@hookflo/tern'; export async function POST(req: NextRequest) { const result = await WebhookVerificationService.verifyWithPlatformConfig( req, 'github', process.env.GITHUB_WEBHOOK_SECRET! ); if (!result.isValid) { return NextResponse.json({ error: result.error }, { status: 400 }); } const event = req.headers.get('x-github-event'); // handle event return NextResponse.json({ received: true }); } // Disable body parsing so Tern gets the raw body export const config = { api: { bodyParser: false } }; Cloudflare Workers addEventListener('fetch', (event) => { event.respondWith(handleRequest(event.request)); }); async function handleRequest(request: Request): Promise { if (request.method === 'POST' && new URL(request.url).pathname === '/webhooks/clerk') { const result = await WebhookVerificationService.verifyWithPlatformConfig( request, 'clerk', CLERK_WEBHOOK_SECRET ); if (!result.isValid) { return new Response(JSON.stringify({ error: result.error }), { status: 400, headers: { 'Content-Type': 'application/json' }, }); } return new Response(JSON.stringify({ received: true })); } return new Response('Not Found', { status: 404 }); } ### Platform Manager (Advanced) import { platformManager } from '@hookflo/tern'; // Verify using the platform manager directly const result = await platformManager.verify(request, 'stripe', 'whsec_...'); // Get the config for a platform (for inspection) const config = platformManager.getConfig('stripe'); // Get docs/metadata for a platform const docs = platformManager.getDocumentation('stripe'); // Run built-in tests for a platform const passed = await platformManager.runPlatformTests('stripe'); ### Testing npm test # run all tests npm run test:platform stripe # test one platform npm run test:all # test all platforms ### Part 2 — Hookflo (Hosted Alerting Platform) Hookflo requires no library installation. The integration is: Create a webhook endpoint in the Hookflo Dashboard → get a Webhook URL + Secret Point your provider (Stripe, Supabase, Clerk, GitHub, etc.) at that URL Configure Slack/email notifications in the dashboard ### How to Set Up a Hookflo Integration Step 1 — Go to hookflo.com/dashboard and create a new webhook. You'll receive: Webhook URL — paste into your provider's webhook settings Webhook ID — used for token-based platforms Secret Token — used by Hookflo to verify incoming events Notification channel settings — configure Slack or email Step 2 — Set up the provider to send to that Hookflo URL: ProviderWhere to paste the URLStripeDashboard → Developers → Webhooks → Add endpointSupabaseDashboard → Database → Webhooks → Create webhookClerkDashboard → Webhooks → Add endpointGitHubRepo/Org Settings → Webhooks → Add webhook Step 3 — In the Hookflo dashboard, configure: Which event types to alert on (e.g., payment_intent.succeeded, user.created) Notification channels (Slack workspace/channel, email addresses) Digest frequency if you want batched summaries instead of per-event alerts ### Hookflo Platform Docs Stripe: docs.hookflo.com/webhook-platforms/stripe Supabase: docs.hookflo.com/webhook-platforms/supabase Clerk: docs.hookflo.com/webhook-platforms/clerk GitHub: docs.hookflo.com/webhook-platforms/github Slack notifications: docs.hookflo.com/notification-channels/slack ### Hookflo + Tern Together If you want both programmatic verification (Tern) AND logging/alerting (Hookflo), use a proxy pattern: // Your server receives the webhook, verifies it with Tern, then forwards to Hookflo app.post('/webhooks/stripe', express.raw({ type: 'application/json' }), async (req, res) => { // 1. Verify with Tern const result = await WebhookVerificationService.verifyWithPlatformConfig( req, 'stripe', process.env.STRIPE_WEBHOOK_SECRET! ); if (!result.isValid) return res.status(400).json({ error: result.error }); // 2. Process locally handleStripeEvent(result.payload); // 3. Forward to Hookflo for alerting/logging (optional) await fetch(process.env.HOOKFLO_WEBHOOK_URL!, { method: 'POST', headers: { ...req.headers, 'Content-Type': 'application/json' }, body: req.body, }); res.json({ received: true }); }); Alternatively, point Stripe directly at your Hookflo URL and keep Tern for a different endpoint. ### Raw Body Requirement HMAC signatures are computed over the exact raw bytes of the request body. Any re-serialization (e.g., by a JSON body parser) will break verification. Always ensure: Express: use express.raw({ type: 'application/json' }) on webhook routes Next.js Pages Router: set export const config = { api: { bodyParser: false } } Next.js App Router: Tern reads the body directly from the Request object ### Replay Attack Protection Always pass toleranceInSeconds (default is 300 = 5 minutes). This rejects requests with timestamps too far in the past, preventing replay attacks. ### Secrets Management Never hardcode secrets in source code Use environment variables: process.env.STRIPE_WEBHOOK_SECRET For Cloudflare Workers: use wrangler secret put STRIPE_WEBHOOK_SECRET For Vercel: add secrets in project settings ### Error Responses Always return HTTP 400 (not 500) for failed verification — this signals to the sender that the request was rejected (not that your server crashed). ### HTTPS Only Webhook endpoints must use HTTPS in production. Never accept webhook traffic over HTTP. ### Troubleshooting SymptomLikely CauseFixisValid: false, error about signatureBody was parsed before TernUse raw body parserisValid: false, error about timestampClock skew or replay attackCheck server clock; increase tolerance if devisValid: false for ClerkMissing svix headersEnsure svix-id, svix-timestamp, svix-signature are forwardedisValid: false for GitHubWrong secretRe-copy secret from GitHub Webhooks settingsTern not finding platformTypo in platform nameUse lowercase: 'stripe', 'github', 'clerk'Hookflo not receiving eventsWrong URL pastedRe-copy URL from Hookflo dashboard ### Key Links Tern GitHub: https://github.com/Hookflo/tern Tern npm: https://www.npmjs.com/package/@hookflo/tern Tern docs: https://tern.hookflo.com Hookflo homepage: https://hookflo.com Hookflo dashboard: https://hookflo.com/dashboard Hookflo docs: https://docs.hookflo.com Hookflo Discord: https://discord.com/invite/SNmCjU97nr ## Trust - Source: tencent - Verification: Indexed source record - Publisher: Prateek32177 - Version: 1.0.1 ## Source health - Status: healthy - Item download looks usable. - Yavira can redirect you to the upstream package for this item. - Health scope: item - Reason: direct_download_ok - Checked at: 2026-04-30T04:41:39.971Z - Expires at: 2026-05-07T04:41:39.971Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/hookflo-tern) - [Send to Agent page](https://openagent3.xyz/skills/hookflo-tern/agent) - [JSON manifest](https://openagent3.xyz/skills/hookflo-tern/agent.json) - [Markdown brief](https://openagent3.xyz/skills/hookflo-tern/agent.md) - [Download page](https://openagent3.xyz/downloads/hookflo-tern)