const webhook = await lucid.webhooks.create({
  url: "https://your-app.com/webhooks/lucid",
  events: ["receipt.created", "epoch.anchored"],
  secret: "whsec_your-signing-secret",
});

{
  "id": "evt_abc123",
  "type": "receipt.created",
  "timestamp": "2026-02-24T10:30:00Z",
  "data": {
    "receiptId": "rec_xyz789",
    "model": "gpt-4o",
    "inputTokens": 150,
    "outputTokens": 320,
    "signatureValid": true
  }
}

import { createHmac, timingSafeEqual } from "crypto";

function verifyWebhook(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  return timingSafeEqual(
    Buffer.from(signature, "hex"),
    Buffer.from(expected, "hex")
  );
}

// In your Express handler:
app.post("/webhooks/lucid", (req, res) => {
  const sig = req.headers["x-lucid-signature"];
  if (!verifyWebhook(JSON.stringify(req.body), sig, WEBHOOK_SECRET)) {
    return res.status(401).send("Invalid signature");
  }

  const { type, data } = req.body;
  console.log(`Received ${type}:`, data);
  res.status(200).send("OK");
});

// List webhooks
const webhooks = await lucid.webhooks.list();

// Update events
await lucid.webhooks.update(webhook.id, {
  events: ["receipt.created", "epoch.anchored", "agent.completed"],
});

// Delete
await lucid.webhooks.delete(webhook.id);