How does this skill protect against replay attacks?

It implements a timestamp validation check that compares the 'x-exa-timestamp' header against the current time, rejecting any requests older than 5 minutes.

Why is raw body parsing necessary for Exa webhooks?

Cryptographic signature verification requires the exact, unaltered payload. Standard JSON parsers can change whitespace or property ordering, which causes the signature check to fail.

Can I test these webhooks on my local machine?

Yes, the skill includes instructions for using tools like Ngrok to expose your local server and the Exa CLI to trigger test events for debugging.

Is Redis required to use this skill?

No, Redis is optional but recommended for implementing idempotency, which ensures that your application doesn't process the same webhook multiple times if the provider retries the request.

Exa Webhooks & Events

Name: Exa Webhooks & Events
Author: jeremylongshore

byjeremylongshore

•

983

API Development

Implements secure webhook endpoints for Exa with signature validation and idempotent event handling.

About

This skill provides a standardized approach to implementing and securing Exa webhook notifications in your applications. It includes production-grade patterns for cryptographic signature verification using HMAC-SHA256, replay attack prevention via timestamp checking, and structured event dispatching. By utilizing this skill, developers can quickly set up reliable endpoints that handle Exa resource updates, creations, or deletions while maintaining strict security standards and ensuring data integrity through idempotency patterns.

Key Features

Idempotent event processing using Redis
Local testing workflows using Ngrok and CURL
Replay attack protection via timestamp validation
983 GitHub stars
HMAC-SHA256 signature verification logic
Express.js raw body handling patterns

Use Cases

Securing public API endpoints against unauthorized webhook requests
Syncing local databases with real-time Exa resource updates
Triggering automated workflows based on Exa platform notifications

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jeremylongshore/claude-code-plugins-plus-skills exa-webhooks-events

For use in Claude.ai and ChatGPT

Download Skill

GitHub