Webhooks

Registering a webhook

Settings → Webhooks → + New endpoint. Specify the URL, choose events, and the platform issues a signing secret. All notifications are signed; verify before you trust.

Available events

• delivery.sent — provider acknowledged dispatch
• delivery.delivered — recipient confirmation
• delivery.failed — permanent failure
• automation.activated / automation.paused
• billing.paid — Midtrans settlement
• billing.failed
• membership.created — invite accepted

Payload shape

{
  "id":        "evt_2H8sMvkJ9",
  "type":      "delivery.delivered",
  "workspace": "ws_aurora",
  "timestamp": "2026-05-20T14:10:31Z",
  "data": {
    "deliveryAttemptId": "att_4xQ…",
    "channel":           "WHATSAPP",
    "toAddress":         "+62812…",
    "providerMessageId": "wamid…"
  }
}

Signing

Each request carries an X-1nCall-Signature header — HMAC-SHA-256 of the raw body keyed by the secret. Verify with:

import { createHmac, timingSafeEqual } from "node:crypto";

function verify(rawBody: string, header: string, secret: string) {
  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
  return timingSafeEqual(Buffer.from(expected), Buffer.from(header));
}

Delivery + retries

We retry non-2xx responses with exponential back-off for 24 hours, then dead-letter. Expect at-least-once delivery — idempotency keys are baked into every payload (the id field).