Webhooks

Configure webhook endpoints to receive real-time event notifications with HMAC signing.

Endpoints

Method	Description	Permission
GET	List webhooks	webhooks.read
POST	Create webhook	webhooks.write
PATCH	Update webhook	webhooks.write
DELETE	Delete webhook	webhooks.write
GET	Get delivery history	webhooks.read

Webhook Headers

Every webhook request includes the following headers

Content-Type: application/json
X-Sendy-Signature: sha256=<hmac_hex_digest>
X-Sendy-Event: email.sent
X-Sendy-Delivery: <delivery_uuid>

http

Event Types

Subscribe to specific events when creating a webhook. Click an event to see its payload.

Email Events

SMTP Events

SMS Events

Warmup Events

AI Events

Signature Verification

Verify webhook authenticity using the HMAC-SHA256 signature

Every webhook request includes an X-Sendy-Signature header containing an HMAC-SHA256 digest of the request body, signed with your webhook secret. Always verify this signature before processing events.

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler:
app.post('/webhook', (req, res) => {
  const signature = req.headers['x-sendy-signature'];
  const isValid = verifyWebhook(
    JSON.stringify(req.body),
    signature,
    'your_webhook_secret'
  );

  if (!isValid) {
    return res.status(401).send('Invalid signature');
  }

  // Process the event...
  console.log(req.body.event); // "email.sent"
  res.status(200).send('OK');
});

javascript