I’m trying to configure webhook handling for my Twitch bot that runs on a VPS server.
I’ve been looking at Twitch EventSub webhook documentation and examples, but I’m having trouble understanding how to properly set this up on my remote server. Most tutorials I found use tools like ngrok for local development, but that’s not what I need since my bot is already running on a VPS.
My main confusion is around:
How to handle the webhook verification process correctly
Setting up the POST endpoint to receive event data properly
Making sure the HTTPS connection works without external tunneling tools
I understand the basics of GET requests, but the POST handling part is where I’m getting stuck. The webhook needs to be accessible from the internet and handle Twitch’s verification challenges.
Has anyone successfully implemented this setup on a VPS? What’s the correct approach for handling these webhooks without using local tunneling solutions?
the HMAC validation was the biggest pain - you need to use the exact raw request body twitch sends, not a parsed version. I kept screwing up the signature validation cuz i was checking against json.parse() output instead of the raw body. also make sure ur webhook secret matches exactly what u registered with twitch.
Webhook verification is pretty simple once you get it. Twitch sends a challenge parameter with the initial subscription request - just echo it back with a 200 status code. For POST requests, validate everything using the message signature by checking the HMAC-SHA256 hash against your webhook secret. You’ll need HTTPS since Twitch requires it. If your VPS doesn’t have SSL yet, grab a certificate from your cloud provider or use Certbot for free ones. Just make sure your webhook URL is publicly accessible and returns the right HTTP status codes for both verification and events.
I handled webhook verification in separate middleware before processing events. Here’s what tripped me up: Twitch sends the challenge as a query parameter during setup, NOT in the POST body. Your endpoint needs to handle GET requests for verification AND POST requests for actual events. I wasted hours trying to parse the challenge from POST data. Also check your firewall allows inbound connections on whatever port you’re using. I threw nginx in front as a reverse proxy for SSL - way easier than dealing with certificates in my app code.
i totally get ur struggle! for ur vps, try using Let’s Encrypt for SSL certs. create an express route for verification and just return Twitch’s challenge param. also, ensure that ports 443 and 80 are open on ur server. it should work smooth!