update clerk webhook endpoint to work using the verifyWebhook clerk h…

[BBruington]

…elper

Summary by CodeRabbit

• Chores
  • Renamed webhook environment variable to CLERK_WEBHOOK_SIGNING_SECRET for consistency with Clerk naming
  • Switched webhook verification to use Clerk's official verification utility, improving reliability and error handling

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0aa12a16-b19f-4569-b35c-f112fb852194

📥 Commits

Reviewing files that changed from the base of the PR and between 10fbf65 and 46c7bbb.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• apps/web/.env.example
• apps/web/src/env.ts
• apps/web/src/routes/api.webhooks.clerk.ts

✅ Files skipped from review due to trivial changes (2)

• apps/web/.env.example
• apps/web/src/env.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/web/src/routes/api.webhooks.clerk.ts

---

📝 Walkthrough

Walkthrough

This PR renames the Clerk webhook env var from CLERK_WEBHOOK_SECRET to CLERK_WEBHOOK_SIGNING_SECRET and replaces manual Svix-based webhook signature parsing/verification with Clerk's verifyWebhook(request) utility from @clerk/tanstack-react-start/webhooks.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/ci.yml	Workflow env var renamed: CLERK_WEBHOOK_SECRET → CLERK_WEBHOOK_SIGNING_SECRET.
Environment Example apps/web/.env.example	Example env key renamed: CLERK_WEBHOOK_SECRET=... → CLERK_WEBHOOK_SIGNING_SECRET=....
Server env schema apps/web/src/env.ts	Server-side env schema key updated to require CLERK_WEBHOOK_SIGNING_SECRET instead of CLERK_WEBHOOK_SECRET.
Webhook route apps/web/src/routes/api.webhooks.clerk.ts	Replaced manual Svix header/body parsing and svix.Webhook verification with verifyWebhook(request) from Clerk SDK; updated imports and error handling to return 400 on verification failure.

Sequence Diagram(s)

sequenceDiagram
  participant Clerk as Clerk (Webhook sender)
  participant Server as Server Route `/api/webhooks/clerk`
  participant SDK as Clerk SDK `verifyWebhook`
  participant Handler as App Event Handler

  Clerk->>Server: POST /api/webhooks/clerk (headers + body)
  Server->>SDK: verifyWebhook(request)
  SDK-->>Server: returns event OR throws verification error
  alt verification succeeds
    Server->>Handler: pass verified event
    Handler-->>Server: 200 OK
  else verification fails
    SDK-->>Server: throws Error
    Server-->>Clerk: 400 Invalid signature
  end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• update clerk webhook to be a regular route #16: Introduced the original raw Svix-based /api/webhooks/clerk handler that this PR replaces with verifyWebhook(request).

Suggested labels

enhancement

Poem

🐇 I hopped through code with twitching nose,

Renamed the secret where the webhook goes,
Replaced the headers with Clerk's tidy check,
No more raw parsing — that's my tech-spec trek,
A happy rabbit dances — hop, deploy, whoa!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: updating the Clerk webhook endpoint to use the verifyWebhook helper, which aligns with the primary purpose of refactoring the webhook verification logic.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/update-clerk-webhook

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 12: Update the CI workflow secret mapping so the GitHub secret name
matches the environment variable: change the referenced secret from
CLERK_WEBHOOK_SECRET to CLERK_WEBHOOK_SIGNING_SECRET in the workflow where
CLERK_WEBHOOK_SIGNING_SECRET: ${{ secrets.CLERK_WEBHOOK_SECRET }} is defined;
also update the GitHub repository secret name to CLERK_WEBHOOK_SIGNING_SECRET so
secrets.CLERK_WEBHOOK_SIGNING_SECRET is available and consistent with the other
mappings like DISCORD_API_KEY and RESEND_API_KEY.

In `@apps/web/vite.config.ts`:
- Around line 19-21: The empty array for server.allowedHosts causes Vite to
reject tunnel hostnames (breaking Clerk webhooks via ngrok/cloudflared); update
the server.allowedHosts setting (in the server config object) to permit tunneled
hostnames—either set allowedHosts to 'all' or include the specific tunnel host
patterns/domains (e.g., '*.ngrok.io' or your cloudflared domain) so webhook
requests reach your webhook handler; modify the server.allowedHosts entry
accordingly in the vite config.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f1d9ea28-608c-432d-b634-6cca782f58c0

📥 Commits

Reviewing files that changed from the base of the PR and between 2869eff and cd4a0ab.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• apps/web/.env.example
• apps/web/src/env.ts
• apps/web/src/routes/api.webhooks.clerk.ts
• apps/web/vite.config.ts