Refactor API hooks to use dynamic base URL for hosted environments

[softmarshmallow]

Update the API hooks in the submission process to utilize a dynamic base URL that adapts based on the hosting environment. This change prevents potential 401 errors when accessing protected domains and ensures the GRIDA S2S private API key is safely handled. Additionally, clean up the handling of the API key in the notification email route for improved security.

Summary by CodeRabbit

• Bug Fixes

  • Improved environment variable handling for API configuration to ensure consistent default values.

• Chores

  • Simplified API header validation logic for better maintainability.
  • Updated API endpoint configuration for improved reliability.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Feb 5, 2026 1:18pm
grida	Ready	Preview, Comment	Feb 5, 2026 1:18pm

5 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
code	Ignored		Feb 5, 2026 1:18pm
legacy	Ignored		Feb 5, 2026 1:18pm
backgrounds	Skipped		Feb 5, 2026 1:18pm
blog	Skipped		Feb 5, 2026 1:18pm
viewer	Skipped		Feb 5, 2026 1:18pm

[coderabbitai]

Walkthrough

This pull request refactors webhook endpoint handling by introducing a conditional base URL mechanism for API calls and simplifying authentication header extraction. The GRIDA_S2S_PRIVATE_API_KEY environment variable now defaults to null when undefined, and the header validation logic is streamlined to use a single key.

Changes

Cohort / File(s)	Summary
Webhook Base URL & Auth Refactoring editor/app/(api)/(public)/v1/submit/[id]/hooks.ts, editor/app/(api)/(public)/v1/submit/[id]/hooks/notification-respondent-email/route.ts	Introduced conditional HOOK_BASE_URL for flexible API endpoint routing, updated GRIDA_S2S_PRIVATE_API_KEY to default to null, and simplified authentication header extraction to use only "x-grida-s2s-key".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Through hooks and endpoints the rabbit did dance,
URLs now flexible, given a chance,
Headers simplified, auth keys aligned,
Base paths redirected, just as designed!
Cleaner and safer, the magic's refined ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: refactoring API hooks to use a dynamic base URL for hosted environments, which aligns with the core modifications shown in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch canary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f38c6386a3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep hook callbacks on the active deployment host

Switching HOOK_BASE_URL to Env.web.HOST in hosted mode can send hook requests to a different environment than the one that processed the submission (for example when NEXT_PUBLIC_URL is a canonical domain but the request is handled by a preview/canary deployment). In that case response_id/form_id lookups happen against the wrong backend and post-submit side effects (session clear, post-indexing, respondent email) are dropped even though submit succeeded. Using the current deployment host (Env.server.HOST) or a deployment-aware fallback avoids cross-environment drift.

Useful? React with 👍 / 👎.