SoftSolzSoftSolz
HomeAPI GuideAPI ReferenceWidget Tester

Webhooks

Receive signed event payloads when things happen in your workspace.

Register an HTTPS endpoint and SoftSolz POSTs a signed JSON payload whenever a subscribed event fires. Event names are namespaced per service - for example forms.submission.created, invoicing.invoice.paid.

Register an endpoint

In the dashboard go to Developers → Webhooks and add your HTTPS URL (up to 50 per workspace). In production, endpoints must be public HTTPS - loopback and private addresses are rejected.

Verify the signature

Every delivery carries a signature header:

http
Softsolz-Signature: t=<unix>,v1=<hmac-sha256>

Compute HMAC_SHA256(secret, "<t>.<raw-body>") and compare to v1 in constant time. Reject the request when |now - t| > 300s. Secrets rotate on a 7-day dual-secret window, so during rotation check against both the current and previous secret.

Node
import { verifyWebhook } from '@softsolz/sdk';
app.post('/webhooks/softsolz', express.raw({ type: '*/*' }), (req, res) => {
const ok = verifyWebhook({
payload: req.body,
header: req.get('Softsolz-Signature'),
secret: process.env.SOFTSOLZ_WEBHOOK_SECRET,
});
if (!ok) return res.status(400).end();
// ...handle the event...
res.status(200).end();
});

Retries

Failed deliveries are retried with backoff. Respond 2xx quickly and do the work asynchronously so you never time out.