vastai-webhooks-events_skill

This skill validates Vast.ai webhooks with signature verification, idempotent handling, and secure event processing for reliable integrations.
  • Python

1.4k

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill jeremylongshore/claude-code-plugins-plus-skills --skill vastai-webhooks-events

  • SKILL.md5.3 KB

Overview

This skill implements Vast.ai webhook signature validation and event handling to secure and process incoming notifications. It provides code patterns for raw-body verification, HMAC-SHA256 signature checks, replay protection, and structured event dispatch. Use it to build robust webhook endpoints that reject tampered or replayed requests and ensure idempotent processing.

How this skill works

The skill verifies the X-Vastai-Signature by computing an HMAC-SHA256 over a signed payload composed of the timestamp and raw request body. It rejects requests with stale timestamps to prevent replay attacks. Valid events are parsed and routed to type-specific handlers, and optional Redis-based idempotency keys prevent duplicate processing.

When to use it

  • Setting up a public HTTPS endpoint to receive Vast.ai webhook notifications
  • Validating incoming webhook signatures to ensure authenticity
  • Protecting against replay attacks with timestamp checks
  • Routing Vast.ai events to application-specific handlers
  • Adding idempotency when duplicate deliveries are possible

Best practices

  • Require the raw request body for signature verification and compute HMAC-SHA256 with your webhook secret
  • Reject timestamps older than a short window (e.g., 5 minutes) to mitigate replay attacks
  • Use timing-safe comparisons to avoid leaking signature validation timing information
  • Mark processed event IDs in Redis or a database with TTL to achieve idempotency
  • Keep handlers fast and push long-running work to background queues to avoid timeouts

Example use cases

  • Securely receiving resource.created, resource.updated, and resource.deleted events from Vast.ai
  • Triggering inventory updates or auto-scaling workflows on resource.created events
  • Preventing double-processing of retries by checking Redis for event IDs
  • Testing webhook logic locally using ngrok or the Vast.ai CLI test trigger
  • Logging unhandled event types and safely ignoring unsupported notifications

FAQ

Use X-Vastai-Signature and X-Vastai-Timestamp. Compute the expected signature from timestamp + raw body and compare using a timing-safe method.

How do I protect against replay attacks?

Reject requests where the timestamp is older than your allowed window (for example, 5 minutes) and keep clocks synchronized via NTP.

Is idempotency required?

Idempotency is strongly recommended. Store processed event IDs (e.g., in Redis) with a TTL to avoid duplicate processing from retries.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
vastai-webhooks-events skill by jeremylongshore/claude-code-plugins-plus-skills | VeilStrat