From aceeebe9380084fcafdbe317c0afab5d8684e9a8 Mon Sep 17 00:00:00 2001
From: marciobever <marciobever@gmail.com>
Date: Wed, 22 Apr 2026 17:53:29 -0300
Subject: [PATCH] =?UTF-8?q?fix(webhook):=20add=20apikey=20header=20to=20st?=
 =?UTF-8?q?ripe-checkout=20call=20=E2=80=94=20fixes=20401=20UNAUTHORIZED?=
 =?UTF-8?q?=5FINVALID=5FJWT=5FFORMAT?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Supabase gateway requires the service role key in the 'apikey' header
for authentication when the key uses the new sb_secret_ format (not JWT).
Previously only sent via Authorization Bearer, which the gateway rejected.
---
 supabase/functions/meta-whatsapp-webhook/index.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/supabase/functions/meta-whatsapp-webhook/index.ts b/supabase/functions/meta-whatsapp-webhook/index.ts
index d3cda8d..3450a58 100644
--- a/supabase/functions/meta-whatsapp-webhook/index.ts
+++ b/supabase/functions/meta-whatsapp-webhook/index.ts
@@ -234,6 +234,7 @@ async function generateStripeCheckoutUrl(userId: string): Promise<string> {
             method: "POST",
             headers: {
                 "Content-Type": "application/json",
+                "apikey": SUPABASE_SERVICE_ROLE_KEY,
                 "Authorization": `Bearer ${SUPABASE_SERVICE_ROLE_KEY}`,
             },
             body: JSON.stringify({ user_id: userId, plan: "mensal" })