Make sure you’re ready to take your app to production.
Handle edge cases. You may occasionally receive duplicate webhook events. To prevent duplicate processing of events, we suggest caching received events and implementing logic to skip processing seen events.
Since webhook events may be delivered out of order, i.e. not in the order in which they were generated, be sure to handle accordingly. The issued_timestamp extracted from the WorkOS-Signature header can be used to determine order.
issued_timestamp
WorkOS-Signature
Register a production webhook URL in your Production Project.
Set and secure your Production Project’s Webhook Secret.
Set and secure your Production Project’s API key.
Ensure that your application can receive redirects and webhooks from WorkOS. Depending on your network architecture, you may need to allowlist incoming traffic from api.workos.com.
api.workos.com
WorkOS currently cannot promise that redirect and webhook traffic will originate from a static set of IP addresses.