Webhook security

Outbound subscriptions and inbound provider hooks. API details: Webhooks, Inbound.

Overview Auth & keys Webhooks Retries Rate limits Monitoring Data & audit

Outbound (DripPulse → your HTTPS endpoint)

When you POST /api/v1/webhooks with url and event_type, the response includes a generated secret. Use it to verify HMAC signatures on deliveries. Event types and signing contract: GET /api/v1/webhooks/catalog.

Reject requests with invalid signatures or unknown timestamps (if your policy stores nonces / max age).
Return 2xx only after you persist or queue the payload; otherwise DripPulse may retry.
Rotate by creating a new webhook or updating credentials per product UI when supported; retest with POST /api/v1/webhooks/:id/test.

Inbound (providers → DripPulse)

Routes like Stripe use provider signing, not your org API key. See Inbound webhooks & tracking. Lead-scoring endpoints should only accept trusted callers (network allowlist + shared secret or signature).

Field reference — create outbound webhook

{
  "url": "https://hooks.example.com/drippulse",
  "event_type": "workflow.failed",
  "active": true
}

Required: url, event_type. Response 201: id, secret, url, event_type, active, created_at.

Next: Retries & idempotency →