Skills

knock-webhooks

Installation
SKILL.md

Knock Webhooks

When to Use This Skill

  • Setting up Knock outbound webhook handlers
  • Debugging x-knock-signature verification failures
  • Handling Knock notification message lifecycle events (sent, delivered, bounced, read, link_clicked)
  • Reacting to Knock resource changes (workflow.committed, translation.committed, etc.)
  • Porting a Stripe-style verifier to Knock and discovering it silently fails (Knock uses milliseconds, Stripe uses seconds)

Verification (core)

Knock signs each webhook with HMAC-SHA256 (base64) and sends a single header:

x-knock-signature: t=<timestamp_ms>,s=<base64_signature>

The signed string is ${timestamp_ms}.${raw_body} (period separator). The timestamp is in milliseconds, not seconds — this is an explicit deviation from Stripe. There is no SDK helper (@knocklabs/node and knockapi do not expose an inbound verification method); verify with the standard library.

Installs
54
Repository
hookdeck/webhook-skills
GitHub Stars
73
First Seen
May 18, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
knock-webhooks — hookdeck/webhook-skills