An HTTP request to the Cerebrium API can be parameterized to forward data from your function/app to a specified endpoint via a POST.
This allows you to use webhooks in your architecture. To achieve this, we can simply add the webhookEndpoint
query parameter to any API call:
curl -X POST https://api.aws.us-east-1.cerebrium.ai/v4/<YOUR-PROJECT-ID>/<YOUR-APP>/run?webhookEndpoint=https%3A%2F%2Fwebhook.site%2F'\
-H 'Content-Type: application/json'\
-H 'Authorization: Bearer <YOUR-JWT-TOKEN>\
--data '{"param": "hello world"}'
This will then forward the body by sending a POST request to your specified webhook. Since this is
a feature of our proxy, you will not need to modify any part of your code to use the webhook
functionality. You should, however, ensure that your endpoint is able to receive POST requests. While
this will work for both Cortex and Custom runtimes, it will only work for HTTP requests, and not websockets.
To illustrate this, suppose your function returns {"smile": "wave"}
. We would then make a POST call from
our proxy that would look like this to your webhook:
We do not actually use curl
. This is used as an example to show what a
webhook may expect.
curl -X POST https://webhook.site/'\
-H 'Content-Type: application/json'\
--data '{"smile": "wave"}'
Webhook Signature Verification
To verify that webhooks are genuinely coming from Cerebrium, you can use our webhook signature verification system:
- Include an
X-Webhook-Secret
header with a secret value of your choice when making requests to our API
- When you receive a webhook, we’ll include the following headers:
X-Request-Id
: A unique identifier for the request
X-Cerebrium-Webhook-Timestamp
: The Unix timestamp when the webhook was sent
X-Cerebrium-Webhook-Signature
: The signature in the format v1,<signature>
- To verify the signature:
import hmac
import hashlib
def verify_webhook_signature(request_id, timestamp, body, signature, secret):
# Remove the 'v1,' prefix from the signature
signature = signature.split(',')[1] if ',' in signature else signature
# Construct the signed content
signed_content = f"{request_id}.{timestamp}.{body}"
# Calculate expected signature
expected_signature = hmac.new(
secret.encode(),
signed_content.encode(),
hashlib.sha256
).hexdigest()
# Compare signatures
return hmac.compare_digest(expected_signature, signature)
The body should include everything returned from cerebrium (run_id, function
response, timestamp etc) not just your function response
This ensures that the webhook is genuinely from Cerebrium and hasn’t been tampered with.