Postel
Concepts

Concepts

The five concepts that show up in every Postel integration — signing, key rotation, idempotency, raw bytes, edge runtimes.

Webhooks look simple on the surface and quickly become hard once you ship a few. The five pages in this section cover the concepts every Postel integration eventually touches.

  • Signing and verification — what the receiver actually checks, the v1 (HMAC) and v1a (Ed25519) signature schemes, and why constant-time comparison matters.
  • Key rotation — the multi-secret window, JWKS publication, and how to rotate a leaked secret without a flag day.
  • Idempotency — webhooks are at-least-once. How the dedup helper makes them once-effectively, atomically.
  • Raw bytes — the most common silent failure mode in webhook receivers. Why you must never JSON.stringify(JSON.parse(body)).
  • Edge runtimes — what the 50 KB bundle budget and Web-Crypto-only constraint buy you, and what they cost.

If you're new, signing and verification is the right starting page.

Get started

Install @postel/edge and verify a signed webhook in under a minute. Works in Node, Bun, Deno, and on the edge.

Signing and verification

What verify() actually checks, the v1 (HMAC) and v1a (Ed25519) signature schemes, and why constant-time comparison matters.