Best Practices
Follow these guidelines for a reliable, secure webhook integration.
Verify Every Request
Always check the HMAC signature and timestamp before processing. Never trust an unverified webhook payload.
Respond Quickly
Return a 200 status immediately and process the event asynchronously. Your endpoint must respond within 10 seconds.
Handle Duplicates
Use the X-Webhook-Delivery header as an idempotency key to safely handle duplicate deliveries.
Secure Your Secret
Store the webhook secret in an environment variable or secret manager. Never commit it to source control.
Monitor Delivery Logs
Check your delivery logs regularly in the dashboard to catch failing endpoints before they get auto-disabled.
Test with Ping
Use the "Test" button in the dashboard to send a test.ping event and verify your endpoint is reachable before going live.