Taking your app to the next level.
Handle edge cases. You may occasionally receive duplicate webhook events. To prevent duplicate processing of events, we suggest caching received events and implementing logic to skip processing seen events.
Since webhook events may be delivered out of order, i.e. not in the order in which they were generated, be sure to handle accordingly. The issued_timestamp extracted from the WorkOS-Signature header can be used to determine order.
Register a production webhook URL in your Production Project.
Set and secure your Production Project's Webhook Secret.
Set and secure your Production Project's API key.
Ensure that your application can receive redirects and webhooks from WorkOS. Depending on your network architecture, you may need to allowlist incoming traffic from api.workos.com.
WorkOS currently cannot promise that redirect and webhook traffic will originate from a static set of IP addresses.