Orb Webhooks

When to Use This Skill

• Setting up Orb webhook handlers
• Debugging Orb signature verification failures
• Understanding Orb event types and payloads
• Handling usage-based billing, subscription, or invoice events

Verification (core)

Orb signs every webhook with HMAC-SHA256 over the literal string v1:{X-Orb-Timestamp}:{rawBody}. The hex digest is delivered in X-Orb-Signature prefixed with v1= (e.g. v1=abc123…). The ISO 8601 timestamp arrives separately in X-Orb-Timestamp. Use the raw request body — don't JSON.parse first.

The orb-billing SDK (npm and PyPI) does not expose an unwrap()/constructEvent() helper at this time, so manual HMAC verification is the canonical path in every framework.

Node:

const crypto = require('crypto');