npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@zettapay/receiver

v0.1.4

Published

Webhook receiver test tool for the ZettaPay protocol. Stands up a local HTTP server, verifies HMAC-SHA256 signatures, and prints decoded payloads — used during dev/QA to validate a merchant integration before plugging it into production.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

veridian_venturesveridian_ventures

Keywords

zettapaywebhookreceiverhmactest-tooldeveloper-toolsstripe-gradeself-hosted

Readme

@zettapay/receiver

Webhook receiver test tool for the ZettaPay protocol.

Stand up a local HTTP receiver in one command, verify HMAC-SHA256 signatures, inspect every payload — exactly the checks a production merchant endpoint must make, made visible during dev and CI.

The same webhook contract is used by the self-hosted listener (POSTing from your droplet) and the ZettaPay cloud tier (POSTing across the internet). A route that passes this tool's checks works for both.

Install

npm i -g @zettapay/receiver

Or, ephemerally:

npx @zettapay/receiver listen --secret whsec_xxx

Usage

zettapay-receiver listen \
  --port 9876 \
  --secret whsec_xxxxxxxxxxxxxxxxxx \
  --pretty

Endpoints exposed:

| Method | Path | Behavior | | ------ | ----------- | ----------------------------------------------------- | | GET | / | JSON service status (uptime, request counters). | | POST | /webhook | Verify signature + replay window, log + respond JSON. |

Flags

| Flag | Default | Description | | ---- | ------- | ----------- | | --secret <whsec_...> | (required) | HMAC secret matching the listener config. | | --port <n> | 9876 | Bind port. | | --bind <host> | 127.0.0.1 | Bind host. We default to loopback for safety — pass 0.0.0.0 only on a trusted network. | | --max-age <seconds> | 300 | Replay window. | | --pretty | off | Human-readable box per request. | | --log-file <path> | off | Tee JSON lines to a file. | | --exit-on <n> | off | Exit after N successful webhooks. Useful in CI. |

Sample session

Terminal 1:

zettapay-receiver listen --port 9876 --secret $WEBHOOK_SECRET --pretty

Terminal 2:

TS=$(date +%s)
BODY='{"event":"invoice.confirmed","invoice_id":"inv_test","data":{"amount_sats":1000}}'
SIG=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')

curl -X POST http://127.0.0.1:9876/webhook \
  -H "X-ZettaPay-Signature: $SIG" \
  -H "X-ZettaPay-Timestamp: $TS" \
  -d "$BODY"

A valid request gets 200 {"ok": true, "received_at": "..."}. An invalid signature gets 401 {"ok": false, "error": "invalid_signature"}. A timestamp older than 5 minutes gets 401 timestamp_too_old.

End-to-end: real listener pointing at the receiver

@zettapay/listener (≥ 0.1.2) accepts http://localhost and http://127.0.0.1 webhook URLs as a documented dev exception. In any other case, the listener refuses non-HTTPS targets — TLS is required for real deployments.

# .env
MERCHANT_WEBHOOK_URL=http://127.0.0.1:9876/webhook
MERCHANT_WEBHOOK_SECRET=whsec_xxxxxxxxxxxxxxxxxx

When the listener boots with a localhost URL, it logs a single warning:

DEV MODE: webhook over plain http allowed for localhost. Use https for production.

Library usage

import { ReceiverServer } from '@zettapay/receiver';

const server = new ReceiverServer({
  secret: process.env.WEBHOOK_SECRET!,
  port: 0, // OS-assigned
  onWebhook: (outcome) => {
    if (outcome.ok) console.log('ok:', outcome.envelope?.event);
    else console.log('rejected:', outcome.reason);
  },
});

const { port } = await server.listen();
// ... POST to http://127.0.0.1:${port}/webhook ...
await server.close();

Security stance

  • Bound to 127.0.0.1 by default; 0.0.0.0 requires an explicit --bind.
  • HMAC checks use crypto.timingSafeEqual over the raw request body.
  • Replay window enforced via X-ZettaPay-Timestamp header (default 5 min).
  • No persistence: every restart starts with zero state.
  • No outbound calls: nothing leaves the process.
  • No xpub/xprv handling — receiver only validates signed envelopes.

License

MIT