One signed subscription to the whole platform's event taxonomy — Stripe / Svix delivery posture, zero per-event bill.
Svix Pro is $490/mo for the delivery infra alone; you still ship product events into it. Hookdeck Mid is ~$200/mo. Sendora bundles the same delivery posture (HMAC-SHA256 signed, exponential-backoff retry, replay, delivery log, SSRF-guarded inbound) into every module's event stream natively. One webhook endpoint subscription captures `auth.user_created`, `auth.device_takeover`, `push.token_invalidated`, `email.bounced`, `support.ticket_created`, `csat.detractor`, `billing.subscription_updated`, `automation.run_completed`, `attribution.install_attributed`, and 40+ more — one signed payload format, one rotating secret, one delivery log. The "integrate this" step in every SaaS evaluation, already done.
Features
- One subscription, whole taxonomy — 50+ canonical event types across auth, push, email, sms, links, surveys, automation, billing, support, csat, consent, attribution. Customer subscribes once + their mirror stays in sync.
- HMAC-SHA256 signing —
t=…,v1=…header (Stripe convention) so SDKs your team already wrote against Stripe slot in unchanged. - Exponential backoff (2s / 8s / 30s / 90s) + permanent-vs-transient HTTP status classification — 4xx (except 408/429) goes permanent fast; 5xx / network / 429 retry.
- Per-endpoint event filters — subscribe to
auth.*only,email.bouncedonly, whatever. Multiple endpoints per org, each with its own filter. - Delivery log + one-click replay — every attempt logged with status code + response body + reconstructed signed-header line. Failed deliveries replay individually or in bulk by event filter.
- Inbound endpoints with SSRF guard — accept provider callbacks (Stripe, GitHub, Slack) without standing up your own validator stack.
lib/url-safety.tsblocks RFC1918, loopback, link-local, cloud-metadata IPs (169.254.169.254, etc.), CGN ranges. Replay-window guard built in. - Rotating signing secret — endpoint can hold two active secrets during rotation, both verify, then retire the old one. No webhook outage during key rotation.
Common use cases
Replace Svix ($490+/mo Pro) — the delivery posture is identical (HMAC + exp backoff + replay), the event source ships with it.
Replace Hookdeck (~$200/mo Mid) — same posture, plus you don't have to ship product events into it first.
Mirror Sendora identity / messaging / support into your DB — `auth.device_takeover` deletes the right row, `email.bounced` updates the right user trait, `csat.detractor` flags the right account.
Accept Stripe / GitHub / Slack callbacks without a separate validator service.
Cross-tool wiring — Slack alerts on detractor CSAT, Discord pings on ticket SLA breach, PagerDuty on auth.signin_storm.
Start in minutes. Scale without switching tools.
The free tier covers most side projects. Every module is turn-key and every SDK is first-party.