Skip to main content
Register an HTTPS endpoint and we’ll POST you events as they happen:
The response includes the signing secret (prefix whsec_) once — store it securely.

Verifying signatures

Every delivery includes a Cactus-Signature header:
v1 is an HMAC-SHA256 digest of "{t}.{raw request body}" using your endpoint secret. Verify every delivery:
Reject deliveries older than five minutes, and always compute the digest over the raw request body — parsing and re-serializing JSON will change the bytes.

Delivery and retries

Respond with any 2xx within 10 seconds to acknowledge. Anything else is retried with exponential backoff for up to 24 hours. Deliveries can arrive more than once — use the event id to deduplicate.