payload-posthog

Webhooks

Signature-verified inbound endpoint for PostHog -> Payload callbacks.

payloadPosthog({
  apiKey: process.env.POSTHOG_API_KEY!,
  webhooks: {
    secret: process.env.POSTHOG_WEBHOOK_SECRET, // HMAC-SHA256 over the raw body; omit to skip verification
    path: '/posthog/webhook', // default
    signatureHeader: 'x-posthog-signature', // default
    handler: async ({ payload: webhookPayload, req }) => {
      await req.payload.create({ collection: 'posthog-events', data: webhookPayload })
      return Response.json({ received: true })
    },
  },
})

There's no default handler — inbound webhook payloads are inherently application-specific (survey responses, experiment results, custom destinations), so you provide the logic. The plugin handles signature verification (when secret is set) and JSON parsing before calling your handler; an invalid signature short-circuits to a 401 before your handler ever runs.

Omitting secret skips verification entirely — fine for local development, not recommended in production.