Signed eventsRetry enabled

Webhook Security

Production-grade webhook documentation for signed event delivery, retries, failed deliveries, event logs, and compliance-safe integrations.

HMAC-SHA256 signatures

Xaqiiji signs every webhook request using HMAC-SHA256 so your application can verify that the webhook was sent by Xaqiiji and has not been modified.

Required headers

headers

x-xaqiiji-event: verification_completedx-xaqiiji-delivery-id: uuidx-xaqiiji-attempt: 1x-xaqiiji-timestamp: 1717331400x-xaqiiji-signature: t=1717331400,v1=5e8f9a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9User-Agent: Xaqiiji-Webhooks/1.0

Replay attack prevention

Reject timestamps outside your tolerance window, commonly five minutes, and store processed event IDs to prevent duplicate processing.

Secret rotation and IP allowlisting

Rotate webhook secrets when staff, vendors, or environments change. For production, combine signatures with IP allowlisting when possible.

Payload validation

Validate event type, event ID, environment, and data shape before triggering downstream systems.

Security checklist

Required controls

Use HTTPS endpoints only

Verify signature before processing

Reject old timestamps

Store webhook secret securely

Treat events as idempotent

Do not trust unsigned payloads

Log event ID and delivery ID

Return 2xx only after successful processing

Event Types

Webhook Signatures

Edit this page

Was this page helpful?