SDKs

curl -G "https://api.newvenuedata.com/v1/licenses" \
  -H "Authorization: Bearer ls_live_xxxxxxxxxxxxxxxx" \
  --data-urlencode "county=Miami-Dade" \
  --data-urlencode "license_type=SRX" \
  --data-urlencode "event_type=new_filing" \
  --data-urlencode "limit=25"

curl "https://api.newvenuedata.com/v1/licenses/lic_8f3a1c2e" \
  -H "Authorization: Bearer ls_live_xxxxxxxxxxxxxxxx"

curl -G "https://api.newvenuedata.com/v1/licenses/search" \
  -H "Authorization: Bearer ls_live_xxxxxxxxxxxxxxxx" \
  --data-urlencode "q=sunset grill" \
  --data-urlencode "county=Broward" \
  --data-urlencode "limit=10"

import crypto from "node:crypto";

// Each webhook delivery is signed with HMAC-SHA256 over the raw
// request body using your endpoint's signing secret (whsec_...).
// The hex digest arrives in the "New Venue Data-Signature" header.
function verifySignature(rawBody, signatureHeader, signingSecret) {
  const expected = crypto
    .createHmac("sha256", signingSecret)
    .update(rawBody, "utf8")
    .digest("hex");

  const a = Buffer.from(expected, "hex");
  const b = Buffer.from(signatureHeader ?? "", "hex");

  // Constant-time comparison to avoid timing attacks.
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

// Express handler. Mount with express.raw so req.body is the raw bytes.
export function handleWebhook(req, res) {
  const signature = req.header("New Venue Data-Signature");
  const valid = verifySignature(
    req.body, // Buffer / raw string, NOT parsed JSON
    signature,
    process.env.LICENSESIGNAL_WEBHOOK_SECRET
  );

  if (!valid) {
    return res.status(400).send("Invalid signature");
  }

  const event = JSON.parse(req.body.toString("utf8"));
  console.log("Received event:", event.type);
  res.status(200).send("ok");
}