Appearance
Providers & signature formats
A source's provider field tells Krafter how to verify incoming signatures and where to read the event type from. Four providers are built in: stripe, github, shopify, and generic.
If a third-party isn't on this list, use generic — it covers any provider that signs HMAC-SHA256(body) and puts the result in a single header.
Stripe
json
{ "name": "Stripe", "provider": "stripe", "signing_secret": "whsec_..." }| Item | Value |
|---|---|
| Signature header | Stripe-Signature |
| Format | t=<unix>,v1=<hex> (timestamp-prefixed HMAC-SHA256) |
| Signed payload | <timestamp>.<raw_body> |
| Event type read from | JSON body, path type |
| Stripe Dashboard field | Endpoint URL = https://app.krafter.dev/in/<slug> |
| Stripe secret to copy | The whsec_… shown after creating the endpoint |
GitHub
json
{ "name": "GitHub", "provider": "github", "signing_secret": "<random>" }| Item | Value |
|---|---|
| Signature header | X-Hub-Signature-256 |
| Format | sha256=<hex> HMAC-SHA256 of the raw body |
| Event type read from | header X-GitHub-Event |
| GitHub setting | Payload URL = https://app.krafter.dev/in/<slug>, Content type = application/json, Secret = same value as signing_secret |
Shopify
json
{ "name": "Shopify", "provider": "shopify", "signing_secret": "<shop secret>" }| Item | Value |
|---|---|
| Signature header | X-Shopify-Hmac-Sha256 |
| Format | Base64 of HMAC-SHA256(body) |
| Event type read from | header X-Shopify-Topic |
| Shopify setting | Webhook URL = https://app.krafter.dev/in/<slug>, Format = JSON |
Generic
json
{
"name": "Custom provider",
"provider": "generic",
"signing_secret": "<your secret>",
"signing_algorithm": "sha256",
"signing_header": "X-Webhook-Signature",
"event_type_source": "body",
"event_type_path": "event.name"
}| Field | Purpose |
|---|---|
signing_algorithm | Currently sha256 |
signing_header | Header name carrying the signature (raw hex of the HMAC, no prefix) |
event_type_source | body or header — where Krafter reads the event type from |
event_type_path | Dot-path into the JSON body (when body) or header name (when header) |
What "no signing secret" means
If you create a source without a signing_secret, every incoming POST is accepted and stored, but the resulting event has signature_valid: false. Such events are persisted but not fanned out to destinations — they are visible only in the dashboard / events API for inspection. This lets you wire up a provider in observe-only mode before turning on forwarding.