Webhooks

Features

• check**One subscription, whole taxonomy** — 50+ canonical event types across auth, push, email, sms, links, surveys, automation, billing, support, csat, consent, attribution. Customer subscribes once + their mirror stays in sync.
• check**HMAC-SHA256 signing** — `t=…,v1=…` header (Stripe convention) so SDKs your team already wrote against Stripe slot in unchanged.
• check**Exponential backoff** (2s / 8s / 30s / 90s) + permanent-vs-transient HTTP status classification — 4xx (except 408/429) goes permanent fast; 5xx / network / 429 retry.
• check**Per-endpoint event filters** — subscribe to `auth.*` only, `email.bounced` only, whatever. Multiple endpoints per org, each with its own filter.
• check**Delivery log + one-click replay** — every attempt logged with status code + response body + reconstructed signed-header line. Failed deliveries replay individually or in bulk by event filter.
• check**Inbound endpoints with SSRF guard** — accept provider callbacks (Stripe, GitHub, Slack) without standing up your own validator stack. `lib/url-safety.ts` blocks RFC1918, loopback, link-local, cloud-metadata IPs (169.254.169.254, etc.), CGN ranges. Replay-window guard built in.
• check**Rotating signing secret** — endpoint can hold two active secrets during rotation, both verify, then retire the old one. No webhook outage during key rotation.

Common use cases

• eastReplace Svix ($490+/mo Pro) — the delivery posture is identical (HMAC + exp backoff + replay), the event source ships with it.
• eastReplace Hookdeck (~$200/mo Mid) — same posture, plus you don't have to ship product events into it first.
• eastMirror Sendora identity / messaging / support into your DB — `auth.device_takeover` deletes the right row, `email.bounced` updates the right user trait, `csat.detractor` flags the right account.
• eastAccept Stripe / GitHub / Slack callbacks without a separate validator service.
• eastCross-tool wiring — Slack alerts on detractor CSAT, Discord pings on ticket SLA breach, PagerDuty on auth.signin_storm.

Key concepts

HMAC signature

`X-Sendora-Signature: sha256=<hex>` over the raw body. Verify server-side before trusting payload.

Retry policy

Exponential backoff, 6 attempts over ~30 min. Persistent fails go to dead-letter — visible in dashboard.

SSRF guard

URL allowlist + RFC1918 / loopback / cloud-metadata block. Kill-switch `SSRF_GUARD=off`.

Webhooks

curl -X POST https://api.sendoracloud.com/api/v1/orgs/<ORG_UUID>/webhooks/endpoints \
  -H "x-api-key: pk_prod_…" \
  -d '{
    "url": "https://your-app.com/hooks/sendora",
    "events": ["email.delivered", "email.bounced", "auth.user_signed_up"]
  }'

# Response includes "secret" — store it to verify signatures.

import { createHmac, timingSafeEqual } from "node:crypto";

function verify(rawBody: string, signature: string, secret: string) {
  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
  return timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}

# No SDK call — automatic.
# Backoff schedule: initial fire, then 2s, 8s, 30s, 90s. Endpoints
# returning 2xx within ~2min won't see a final-failure log.

curl -X POST https://api.sendoracloud.com/api/v1/orgs/<ORG_UUID>/dev-tools/webhook-test \
  -H "x-api-key: pk_prod_…" \
  -d '{ "url": "https://your-app.com/hooks/sendora", "event": "email.delivered" }'

Related