Webhook of the week - Coinbase
I looked forward to building my first webhook source to support developers working with cryptocurrency, and Coinbase looked like a good place to start. I was expecting a pretty typical integration, but found one of the more unique and challenging efforts I’ve had so far.
First was the discovery that Coinbase is actually two distinctly different products. Each product had its own website, dashboard, and webhook integration. The first product is Coinbase that has notifications for wallet events, while the second product is Coinbase Commerce that has notifications for charge events. I’m not sure how many developers use one versus the other or both, but it definitely took a lot more digging to work out the separate details for handling webhooks in both of them.
Given the security aspects of cryptocurrency, I wasn’t surprised that signed events are supported for both types. Coinbase Commerce events are pretty standard HMAC-SHA256 signed payloads, but Coinbase events use an approach I hadn’t seen before. Those events use the RSASSA-PKCS1-v1_5 signature scheme with an RSA public key. I coded my own implementation, but they provide a Ruby implementation as a reference. It’s a nice alternative to the typical shared secret used for webhook signing, but I suspect many developers will get tripped up by this rare style.
I liked that a unique ID and event timestamp are provided for both types. Unfortunately even though the names for the fields are identical, Coinbase Commerce events have these common fields inside an event object. I also found that a test event was provided for one type, but not the other. The lack of this test event made it impossible to complete formal testing without actually performing a financial transaction. I would have also liked to see an API to manage these webhooks programmatically.
I learned quite a bit building in support for both Coinbase webhook types. Their unique security approach required a fair amount of digging through their GitHub repo. Hopefully support for these notifications in Hookalu can help you integrate them into your application without worrying about these details yourself.