LegalBanner uses webhooks and scheduled tasks for billing, scanning, and background processing.
Stripe Webhooks
LegalBanner receives billing events from Stripe at /api/webhooks/stripe. Events handled:
| Event | Action |
|-------|--------|
| checkout.session.completed | Activate subscription, update org plan |
| customer.subscription.updated | Sync plan changes (upgrade/downgrade) |
| customer.subscription.deleted | Revert org to free plan |
| invoice.payment_failed | Flag subscription as past due |
Webhook signatures are verified using the Stripe webhook secret to prevent spoofing.
Scheduled Cookie Scans
The cookie scanner runs on a schedule via /api/cron/scan. This endpoint:
1. Selects sites due for a scan (based on their scan interval)
2. Crawls each site's pages to detect cookies, scripts, and third-party services
3. Maps findings to known vendors from the vendor database
4. Creates scan_findings records
5. For Pro orgs with Tag Governance, normalizes findings into the Tag Registry
The cron job is authenticated via a CRON_SECRET header to prevent unauthorized execution.
Background Processing
Some operations run asynchronously:
Push-to-many deployments - each site in a push is processed sequentially, with per-site status tracking
Evidence export - compliance evidence packages are assembled and returned as JSON
Health score computation - site compliance health is computed via a Supabase RPC function
Rate Limits
SDK-facing endpoints have rate limits to prevent abuse:
| Endpoint | Limit |
|----------|-------|
| /api/sdk/config | 60 requests/min per IP |
| /api/sdk/events | 30 requests/10s per IP |
| /api/sdk/governance/blocked_attempt | 1,000 requests/hr per IP |
| Dashboard API routes | 20 requests/min per IP |