Webhooks

Receive events in real time

SendyStack POSTs JSON events to your URL whenever something happens — a message gets delivered, a customer replies, a campaign completes. Configure them at Settings → Webhooks.

Delivery shape

Every webhook request is a POST with a JSON body and an X-SendyStack-Signature header for verification.

POST https://your-app.com/sendystack/webhook
Content-Type: application/json
X-SendyStack-Signature: t=1716840000,v1=…

{
  "type": "message.delivered",
  "tenant_id": "ten_…",
  "data": {
    "message_id": "msg_…",
    "meta_message_id": "wamid.HBg…",
    "to": "+254712345678",
    "delivered_at": "2026-05-28T06:16:00Z"
  }
}

Verify the signature

Parse X-SendyStack-Signature: t=<ts>,v1=<sig>.
Build <ts>.<raw-body> and HMAC-SHA256 it with your webhook signing secret.
Compare with constant-time equality (e.g. crypto.timingSafeEqual).
Reject if Math.abs(now - ts) > 300 seconds — defends against replay.

Retry policy

Respond 200 within 5 seconds. Anything else is retried with exponential backoff for 24 hours (1s, 5s, 25s, 2m, 10m, …). Persistent failures pause the webhook and surface a banner in the dashboard.

Full event catalog: Read the Webhook Events reference →