Webhooks
Quick reference for the outbound webhook system. For a full walk-through including code samples, see Webhook (Data Extraction).
Where to configure
Dashboard → API → Webhook Settings → Create a new endpoint.
What gets signed
We follow the Standard Webhooks spec. Every POST carries three headers used together to verify authenticity:
webhook-id— unique per event; use for idempotency.webhook-timestamp— Unix seconds; reject if older than 5 min.webhook-signature—v1,<base64-HMAC-SHA256>over{id}.{ts}.{body}.
Retries
| Outcome | Behavior |
|---|---|
| 2xx | Success. Stop. |
| 4xx (not 408 or 429) | Treated as a permanent failure. No retries. |
| 408, 429, 5xx, timeout | Retry with exponential backoff for up to 3 days. |
Testing
The Send test event button on each endpoint card in the dashboard
fires a signed endpoint.test payload and shows you the HTTP status
- latency we got back. Use it whenever you change the URL or rotate the signing secret.
Webhook Logs
The dashboard's Webhook Logs tab shows the last 100 delivery attempts with status, event type, and timestamp. Click any row to see the full payload, response body, and error.
Rotating the signing secret
Click Regenerate secret on the endpoint card. The old secret stops working immediately. Update your server, then re-run a test event to confirm.