Developer & API·Available today

Outbound webhooks

HMAC-signed JSON pushed to your endpoint when anything changes.

Subscribe to events and we'll POST signed JSON to any HTTPS endpoint you configure. Deliveries retry on failure with exponential backoff, and you can rotate signing secrets without dropping events.

What it does

Events for orders, inventory, customers, returns, and subscription changes
HMAC-SHA256 signature with a timestamp (replay-proof)
7-day dual-signature grace period on secret rotation
Automatic retries with exponential backoff + manual replay from the dashboard

Verify an inbound webhook in Node.js

import crypto from "node:crypto";

export function verify(req, secret) {
  const sig = req.headers["x-webhook-signature"];
  const body = req.rawBody; // already a Buffer/string
  const expected = crypto
    .createHmac("sha256", secret)
    .update(body)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(sig, "hex"),
    Buffer.from(expected, "hex"),
  );
}

Read the docs →

Ready to wire it up?

Start a free trial and you'll have an API key and webhook endpoint ready to point at Outbound webhooks in under a minute.

Start free trial Read the docs