Box Webhook v2 + Vercel Sandbox

Minimal receiver ready to validate and offload Box webhook events.

Send Box webhook `POST` requests to /api/box/webhook. The route verifies Box’s v2 signatures, rejects stale or malformed deliveries, applies a basic in-memory duplicate check, then creates a Vercel Sandbox to process the event payload in isolation.

Expected environment variables

BOX_WEBHOOK_PRIMARY_KEY
BOX_WEBHOOK_SECONDARY_KEY
VERCEL_OIDC_TOKEN or VERCEL_TEAM_ID + VERCEL_PROJECT_ID + VERCEL_TOKEN
VERCEL_SANDBOX_RUNTIME, VERCEL_SANDBOX_TIMEOUT_MS, VERCEL_SANDBOX_VCPUS are optional

Route behavior

Reads the raw request body before parsing JSON
Checks Box timestamp freshness and both HMAC signatures
Uses the Box event body id as the dedupe key
Writes the event into the sandbox and runs a tiny Node processor

Example webhook body

{
  "type": "webhook_event",
  "id": "eb0c4e06-751f-442c-86f8-fd5bb404dbec",
  "created_at": "2026-04-18T09:00:00-07:00",
  "trigger": "FILE.UPLOADED",
  "webhook": { "id": "53", "type": "webhook" },
  "source": { "id": "73835521473", "type": "file", "name": "invoice.pdf" }
}