Delivery semantics
- At-least-once delivery — We may deliver the same event more than once. Use
event_idto deduplicate. - No ordering guarantee — Events may arrive out of order. Use
occurred_atto sort if needed.
Webhook headers
Every POST includes:| Header | Description |
|---|---|
X-Event-Id | Stable UUID for this event. Same across retries. Use for deduplication. |
X-Timestamp | Unix timestamp of the delivery attempt |
X-Signature | HMAC-SHA256 signature for verification |
Signature verification
The signature is computed asHMAC-SHA256(webhook_secret, "{timestamp}.{raw_json_payload}"). Verify before processing. Use constant-time comparison to prevent timing attacks.
Also verify that X-Timestamp is within 5 minutes of current time to prevent replay attacks.
Retry policy
If your endpoint doesn’t return2xx within 15 seconds:
| Attempt | Delay |
|---|---|
| 1 | Immediate |
| 2 | 30 seconds |
| 3 | 60 seconds |
| 4 | 2 minutes |
| 5 | 4 minutes |
Full payload and verification
See the Webhooks guide for the completemessage.received payload structure and signature verification code examples.