Webhooks
React to product events with HMAC-verified webhooks.
React to product events with HMAC-verified webhooks.
Webhooks let your app react to events as they happen — thing.created,
thing.updated, etc. We POST a JSON payload to a URL you configure.
Dashboard → Settings → Webhooks → Add endpoint. Enter the URL and pick the events you care about. We'll POST to it whenever those events fire.
Every webhook includes an X-Signature-256 header. Verify it matches an
HMAC-SHA256 of the raw request body, keyed with your endpoint's secret:
import { createHmac, timingSafeEqual } from 'node:crypto';
function verify(rawBody: string, signature: string, secret: string): boolean {
const expected = createHmac('sha256', secret).update(rawBody).digest('hex');
const provided = signature.replace(/^sha256=/, '');
if (expected.length !== provided.length) return false;
return timingSafeEqual(Buffer.from(expected), Buffer.from(provided));
}Failed deliveries (non-2xx responses, or no response in 10s) are retried with exponential backoff up to 24 hours. Make your handler idempotent.