Webhooks & Revalidation
Automatic cache invalidation when content changes.
Webhooks & Revalidation
When you publish, update, or unpublish a post in AutoBlogWriter, a webhook is sent to your configured endpoints. The SDK provides handlers that automatically verify the signature and revalidate your Next.js cache.
How It Works
1. Content published in AutoBlogWriter
2. AutoBlogWriter signs payload with HMAC-SHA256
3. POST request sent to your webhook URL
4. SDK handler verifies signature
5. Next.js cache tags and paths are revalidated
6. Updated content appears on your site
Quick Setup
1. Set Environment Variable
AUTOBLOGWRITER_REVALIDATE_SECRET=your_webhook_secret_here2. Create the Route Handler
// app/api/autoblogwriter/revalidate/route.ts
import { createEnvRevalidateHandler } from "@autoblogwriter/sdk/next";
export const runtime = "nodejs";
export const POST = createEnvRevalidateHandler();3. Configure in Dashboard
Go to your workspace Settings > Webhooks and add:
- URL:
https://yoursite.com/api/autoblogwriter/revalidate - Secret: Same as your
AUTOBLOGWRITER_REVALIDATE_SECRETenv var
That's it — your site will now automatically update when content changes.
Webhook Payload
AutoBlogWriter sends a JSON payload:
{
"workspaceSlug": "my-blog",
"postSlug": "my-first-post",
"event": "post.published",
"ts": "2025-01-15T10:00:00.000Z"
}| Field | Type | Description |
|---|---|---|
workspaceSlug | string | Your workspace identifier |
postSlug | string | null | The affected post's slug (null for workspace-wide events) |
event | string | Event type (e.g., post.published, post.updated) |
ts | string | ISO 8601 timestamp |
Signature Verification
The payload is signed with HMAC-SHA256 using your revalidation secret. The signature is sent in the X-AutoBlogWriter-Signature header as a hex string.
Automatic (Recommended)
The createEnvRevalidateHandler() and createRevalidateRouteHandler() functions verify signatures automatically.
Manual Verification
import { verifyWebhookSignature } from "@autoblogwriter/sdk";
const isValid = verifyWebhookSignature({
rawBody: requestBodyString,
signature: request.headers.get("x-autoblogwriter-signature"),
secret: process.env.AUTOBLOGWRITER_REVALIDATE_SECRET!,
});
if (!isValid) {
return new Response("Unauthorized", { status: 401 });
}The verifyWebhookSignature function:
- Accepts the signature with or without a
sha256=prefix. - Uses
crypto.timingSafeEqualto prevent timing attacks. - Returns
falsefor missing or malformed signatures (never throws).
What Gets Revalidated
The default handler revalidates these paths and tags:
Paths
| Path | Type | When |
|---|---|---|
/blog | page | Always |
/blog/{postSlug} | page | When postSlug is provided |
/sitemap.xml | route | Always |
/robots.txt | route | Always |
Cache Tags
| Tag | When |
|---|---|
autoblogwriter:{workspaceSlug}:posts | Always |
autoblogwriter:{workspaceSlug}:post:{postSlug} | When postSlug is provided |
autoblogwriter:{workspaceSlug}:sitemap | Always |
Timestamp Validation
The handler rejects payloads older than 5 minutes (configurable) to prevent replay attacks. If your server's clock is significantly off, increase the skew tolerance.
Advanced: Custom Route Handler
For full control over revalidation behavior:
import { createRevalidateRouteHandler } from "@autoblogwriter/sdk";
import { revalidatePath, revalidateTag } from "next/cache";
export const runtime = "nodejs";
export const POST = createRevalidateRouteHandler({
secret: process.env.AUTOBLOGWRITER_REVALIDATE_SECRET!,
// Allow payloads up to 10 minutes old (default: 300 seconds)
allowedSkewSeconds: 600,
// Next.js cache functions
revalidatePath,
revalidateTag,
// Custom paths to revalidate
revalidatePaths: (payload) => {
const paths = ["/blog", "/sitemap.xml"];
if (payload.postSlug) {
paths.push(`/blog/${payload.postSlug}`);
paths.push(`/articles/${payload.postSlug}`); // Custom route
}
return paths;
},
// Custom tags to revalidate
revalidateTags: (payload) => {
const tags = [`blog:${payload.workspaceSlug}:all`];
if (payload.postSlug) {
tags.push(`blog:${payload.workspaceSlug}:${payload.postSlug}`);
}
return tags;
},
});CreateRevalidateRouteHandlerOptions
| Option | Type | Default | Description |
|---|---|---|---|
secret | string | — | Required. HMAC-SHA256 secret |
allowedSkewSeconds | number | 300 | Max timestamp age in seconds |
revalidatePath | (path, type?) => void | — | Next.js revalidatePath function |
revalidateTag | (tag) => void | — | Next.js revalidateTag function |
revalidatePaths | (payload) => string[] | Default paths | Custom path builder |
revalidateTags | (payload) => string[] | Default tags | Custom tag builder |
Response Format
Success (200)
{
"ok": true,
"event": "post.published",
"revalidated": {
"paths": ["/blog", "/blog/my-post", "/sitemap.xml", "/robots.txt"],
"tags": ["autoblogwriter:my-blog:posts", "autoblogwriter:my-blog:post:my-post", "autoblogwriter:my-blog:sitemap"]
}
}Errors
| Status | Error | Cause |
|---|---|---|
401 | Invalid webhook signature | Secret mismatch or tampered payload |
400 | Invalid JSON / missing fields | Malformed webhook body |
409 | Timestamp outside allowed skew | Stale or replayed payload |
500 | Failed to revalidate cache | Error calling revalidatePath/revalidateTag |
Static Export (output: "export")
If you're using Next.js static export (output: "export" in next.config.js), API route handlers are not supported — the revalidation webhook endpoint won't work.
Instead, use your hosting provider's auto-deploy webhook so that AutoBlogWriter triggers a full rebuild when content changes. Since static exports cache aggressively, make sure your build command clears the Next.js cache before building.
Example: Render
- In Render, copy your service's Deploy Hook URL (Settings → Build & Deploy → Deploy Hook).
- In the AutoBlogWriter dashboard, go to Settings → Webhooks and add the Render deploy hook URL.
- Set your Render Build Command to clear the cache before building:
rm -rf .next/cache && npm run buildThis ensures every deploy starts fresh — no stale cached pages from a previous build.
Other Hosting Providers
Most hosting platforms that support static sites offer a similar deploy hook mechanism:
| Provider | Deploy Hook |
|---|---|
| Render | Settings → Deploy Hook URL |
| Netlify | Build hooks (Settings → Build & Deploy) |
| Vercel | Deploy hooks (Project Settings → Git) |
| Cloudflare Pages | Deploy hooks (Settings → Builds & Deployments) |
The pattern is the same: point AutoBlogWriter's webhook at your provider's deploy hook, and ensure the build command clears any cache (rm -rf .next/cache && npm run build).
Next Steps
- Next.js Helpers — Data fetching functions that set cache tags.
- Environment Config — How the SDK reads your revalidation secret.
On this page
- How It Works
- Quick Setup
- 1. Set Environment Variable
- 2. Create the Route Handler
- 3. Configure in Dashboard
- Webhook Payload
- Signature Verification
- Automatic (Recommended)
- Manual Verification
- What Gets Revalidated
- Paths
- Cache Tags
- Timestamp Validation
- Advanced: Custom Route Handler
- `CreateRevalidateRouteHandlerOptions`
- Response Format
- Success (200)
- Errors
- Static Export (`output: "export"`)
- Example: Render
- Other Hosting Providers
- Next Steps