Stream visitor, screening, and audit-related events into your systems with managed delivery behavior.
Configure one or more endpoints for the event types below.
Deliveries move through pending, delivering, delivered, and failed states. Retries are controlled by max_retries on each endpoint.
Validate X-Spusa-Signature and X-Spusa-Timestamp before processing webhook payloads.
Each delivery includes event type, organization id, and a data object with event payload details.
Manage endpoint registration, status, and secret rotation through admin webhook routes.
const body = await request.text();
const signature = request.headers.get('X-Spusa-Signature');
const timestamp = request.headers.get('X-Spusa-Timestamp');
const payloadToSign = `${timestamp}.${body}`;
// Compute expected HMAC-SHA256 and compare using timing-safe checks
For production, keep webhook secrets in server-side secret storage and reject stale timestamps.
We can provide event catalogs, payload samples, and testing guidance for your systems.
Talk to the team