Idempotency
At ingest time, Odyhook derives a stable per-source dedupe key for every incoming webhook. The first rule that yields a value wins:
- The
Idempotency-Keyrequest header, if present — an explicit caller-supplied key. - The Stripe
idfield parsed from the JSON body, when the source's verify style isstripe. Stripe replays the same event with the sameidon its own retries. - The
X-GitHub-Deliveryheader, when the source's verify style isgithub. - Fallback:
sha256(body)in hex — catches generic providers that retry the same payload with no identifier.
The Stripe and GitHub rules are gated on the configured verify style on purpose: Odyhook trusts those fields only when the source is set up as that provider, so a different sender can't spoof them to collide with a future legitimate event.
Uniqueness is enforced in Postgres by a @@unique([sourceId, idempotencyKey]) constraint. When a webhook produces a (sourceId, key) pair that already exists, Odyhook returns the prior event instead of inserting a new one — so downstream destinations aren't fired twice for the same event.
Providers re-send webhooks on their own retry schedules. This dedupe key is what stops those re-sends from fanning out into duplicate downstream deliveries.