Secure Palantir Foundry Webhooks Implementation

v20260423

palantir-webhooks-events

This comprehensive guide details the process of implementing a secure and robust system for handling Palantir Foundry webhook events. It covers key steps including API-based webhook registration, mandatory signature verification with replay protection, sophisticated event routing for various object lifecycles (create, update, delete), and ensuring idempotent processing using caching mechanisms like Redis. Use this when external microservices must react reliably and immediately to changes within the Foundry Ontology or data assets.

Palantir Foundry Webhooks Events Python API Data Integration Idempotency

Get Skill

68 downloads

Overview

Palantir Webhooks & Events

Overview

Handle Foundry webhook events for Ontology changes, dataset updates, and build completions. Covers webhook registration via the Foundry API, signature verification, event routing, and idempotent processing.

Prerequisites

Foundry enrollment with webhook support enabled
HTTPS endpoint accessible from Foundry's network
foundry-platform-sdk installed

Instructions

Step 1: Register a Webhook via API

import os, foundry

client = foundry.FoundryClient(
    auth=foundry.ConfidentialClientAuth(
        client_id=os.environ["FOUNDRY_CLIENT_ID"],
        client_secret=os.environ["FOUNDRY_CLIENT_SECRET"],
        hostname=os.environ["FOUNDRY_HOSTNAME"],
        scopes=["api:read-data", "api:write-data"],
    ),
    hostname=os.environ["FOUNDRY_HOSTNAME"],
)

# Register webhook for object change events
webhook = client.webhooks.Webhook.create(
    url="https://myapp.example.com/webhooks/foundry",
    event_types=["ontology.object.created", "ontology.object.updated"],
    secret="whsec_your_webhook_secret_here",
)
print(f"Webhook registered: {webhook.rid}")

Step 2: Webhook Endpoint with Signature Verification

from flask import Flask, request, jsonify
import hmac, hashlib

app = Flask(__name__)

@app.post("/webhooks/foundry")
def handle_foundry_webhook():
    # Verify signature
    signature = request.headers.get("X-Foundry-Signature", "")
    timestamp = request.headers.get("X-Foundry-Timestamp", "")
    secret = os.environ["FOUNDRY_WEBHOOK_SECRET"]

    signed_payload = f"{timestamp}.{request.get_data(as_text=True)}"
    expected = hmac.new(
        secret.encode(), signed_payload.encode(), hashlib.sha256
    ).hexdigest()

    if not hmac.compare_digest(signature, expected):
        return jsonify({"error": "Invalid signature"}), 401

    # Replay protection — reject timestamps older than 5 minutes
    import time
    if abs(time.time() - int(timestamp)) > 300:
        return jsonify({"error": "Timestamp too old"}), 401

    event = request.get_json()
    handle_event(event)
    return jsonify({"received": True}), 200

Step 3: Event Router

def handle_event(event: dict):
    event_type = event.get("type", "")
    handlers = {
        "ontology.object.created": on_object_created,
        "ontology.object.updated": on_object_updated,
        "ontology.object.deleted": on_object_deleted,
        "dataset.updated": on_dataset_updated,
        "build.completed": on_build_completed,
    }
    handler = handlers.get(event_type)
    if handler:
        handler(event["data"])
    else:
        print(f"Unhandled event type: {event_type}")

def on_object_created(data: dict):
    obj_type = data["objectType"]
    primary_key = data["primaryKey"]
    print(f"Object created: {obj_type}/{primary_key}")
    # Sync to external system, trigger workflow, etc.

def on_object_updated(data: dict):
    obj_type = data["objectType"]
    changes = data.get("changedProperties", {})
    print(f"Object updated: {obj_type} — changed: {list(changes.keys())}")

def on_object_deleted(data: dict):
    print(f"Object deleted: {data['objectType']}/{data['primaryKey']}")

def on_dataset_updated(data: dict):
    print(f"Dataset updated: {data['datasetRid']} branch={data['branch']}")

def on_build_completed(data: dict):
    status = data["buildStatus"]
    print(f"Build {data['buildRid']}: {status}")

Step 4: Idempotent Processing

import redis

r = redis.Redis.from_url(os.environ.get("REDIS_URL", "redis://localhost:6379"))

def idempotent_handle(event: dict):
    event_id = event["id"]
    key = f"foundry:event:{event_id}"
    if r.exists(key):
        print(f"Skipping duplicate event: {event_id}")
        return
    handle_event(event)
    r.setex(key, 86400 * 7, "processed")  # 7-day TTL

Output

Webhook registered with Foundry for Ontology/dataset events
Signature verification with replay protection
Event router dispatching to typed handlers
Idempotent processing preventing duplicate handling

Error Handling

Issue	Cause	Solution
Invalid signature	Wrong webhook secret	Verify secret matches registration
Timestamp rejected	Server clock drift	Sync NTP; widen tolerance
Duplicate events	Network retry	Use event ID deduplication
Handler timeout	Slow processing	Offload to background queue

Resources

Next Steps

For performance optimization, see palantir-performance-tuning.

Info

Category Data Science

Name palantir-webhooks-events

Version v20260423

Size 5.14KB

Source jeremylongshore/claude-code-plugins-plus-skills

Updated At 2026-04-28