Webhooks
Receive signed event payloads when things happen in your workspace.
Register an HTTPS endpoint and SoftSolz POSTs a signed JSON payload whenever a subscribed event fires. Event names are namespaced per service - for example forms.submission.created, invoicing.invoice.paid.
Register an endpoint
In the dashboard go to Developers → Webhooks and add your HTTPS URL (up to 50 per workspace). In production, endpoints must be public HTTPS - loopback and private addresses are rejected.
Verify the signature
Every delivery carries a signature header:
Softsolz-Signature: t=<unix>,v1=<hmac-sha256>Compute HMAC_SHA256(secret, "<t>.<raw-body>") and compare to v1 in constant time. Reject the request when |now - t| > 300s. Secrets rotate on a 7-day dual-secret window, so during rotation check against both the current and previous secret.
import { verifyWebhook } from '@softsolz/sdk';
app.post('/webhooks/softsolz', express.raw({ type: '*/*' }), (req, res) => { const ok = verifyWebhook({ payload: req.body, header: req.get('Softsolz-Signature'), secret: process.env.SOFTSOLZ_WEBHOOK_SECRET, }); if (!ok) return res.status(400).end(); // ...handle the event... res.status(200).end();});Retries
Failed deliveries are retried with backoff. Respond 2xx quickly and do the work asynchronously so you never time out.