Make sure you’re ready to take your app to production.
WorkOS sends webhooks from a fixed set of IP addresses. If you are looking to create a list of allowed IP addresses for webhooks, use these IP addresses:
Handle edge cases.
You may occasionally receive duplicate webhook events. To prevent duplicate processing of events, we suggest caching received events and implementing logic to skip processing seen events.
Since webhook events may be delivered out of order, i.e. not in the order in which they were generated, be sure to handle accordingly. The issued_timestamp extracted from the WorkOS-Signature header can be used to determine order.
Register a production webhook URL in your Production Project.
Set and secure your Production Project’s Webhook Secret.
Set and secure your Production Project’s API key.
Ensure that your application can receive redirects and webhooks from WorkOS. Depending on your network architecture, you may need to allowlist incoming traffic from api.workos.com.