Clerk (svix) webhooks - IP whitelist validation fails

naftulisinger
HOBBYOP

21 days ago

I'm trying to validate incoming Clerk (Svix) webhooks by checking that the request IP is in the official list at https://docs.svix.com/webhook-ips.json.

However, the requests reaching my Railway app show IPs like 100.64.0.x, which are not in that list.

It seems the real Svix IPs are not visible to my application, and I’m not sure why.

Solved$10 Bounty

2 Replies

Railway
BOT

21 days ago

Hey there! We've found the following might help you get unblocked faster:

If you find the answer from one of these, please let us know by solving the thread!


21 days ago

This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.

Status changed to Open brody 21 days ago


naftulisinger
HOBBYOP

21 days ago

I think I found the solution.

What’s happening

When Svix (Clerk’s webhook service) sends a request to your Railway app:

  • The request first goes through Railway’s internal load balancer or proxy.

  • Railway then forwards it to your container over its internal network.

  • As a result, in your app request.client.host appears as something like 100.64.0.x (Railway’s internal IP range), not the original Svix IP.

How to fix it

When Railway forwards the request, it sets the X-Forwarded-For header to include the original client IP address (the Svix IP).
You should trust the real client IP from the X-Forwarded-For header instead of request.client.host.


Status changed to Solved naftulisinger 21 days ago


Clerk (svix) webhooks - IP whitelist validation fails - Railway Help Station