Set up your endpoint
Register a webhook URL in the dashboard or via the API:secret (whsec_…), shown once. Optionally pass event_types
to subscribe to a subset; omit it (or pass []) to receive everything.
Signature verification
Every request carries aPlinth-Signature: t=<unix>,v1=<hmac> header — an HMAC-SHA256 of
"<t>.<raw body>" keyed by your endpoint secret. Verify it against the raw body, before parsing
JSON, and reject anything that doesn’t match. The full copy-paste snippet (Next.js) lives in
Receiving webhooks.
Webhook payload shape
Every event uses the same envelope. Switch ontype and read data.object:
id— unique event ID. Treat it as an idempotency key — ignore an id you’ve already processed.type— the event name. See the full catalog.created— unix seconds when the event occurred.data.object— the event-specific payload; shape varies by type.
We retry a failed delivery (non-2xx or timeout) with exponential backoff — up to 8 attempts — then
mark it
failed. Return a 2xx quickly to acknowledge; inspect and resend from Webhooks →
deliveries in the dashboard.