Receive Webhooks¶
Use webhooks when your app needs to react to SigID events after they happen. Examples include login, membership, organization, application, security, or audit changes.
Do not use webhooks for the immediate login response. Login still returns through the browser callback. Webhooks are for asynchronous updates.
What You Build¶
Create an HTTPS endpoint in the backend, register it in SigID, and store the signing secret server-side only.
In the handler, verify the webhook signature before trusting any field, check timestamp or replay protection, and make processing safe to retry.
Log event ID and request ID only; never log secrets or raw tokens. Verify a request with a bad signature is rejected before moving on.
- Create an HTTPS endpoint in your backend.
- Register the endpoint in SigID.
- Store the signing secret server-side.
- Verify the webhook signature before trusting the event.
- Check timestamp or replay protection.
- Make the handler safe to retry.
- Log event ID and request ID, not secrets or raw tokens.
Receiver Checklist¶
| Step | Requirement |
|---|---|
| Endpoint | Use HTTPS in production. |
| Signing secret | Keep it server-side and never expose it in browser code. |
| Signature verification | Reject events before parsing trust-sensitive fields. |
| Timestamp check | Limit replay windows. |
| Retry handling | Make handlers idempotent and safe to run more than once. |
| Logging | Log event ID and request ID, not raw secrets. |
Event Handling Rules¶
Make the handler respond quickly after verification and push slow work onto a queue.
Implement idempotency keyed by event ID so retried deliveries do not double-apply, and treat unknown event types as safe no-ops or route them to review.
Document a signing-secret rotation plan tied to deployments before calling the receiver done.
- respond quickly after verification
- queue slow work
- use idempotency keyed by event ID
- treat unknown event types as safe no-ops or route them to review
- rotate signing secrets with a deployment plan
For event names and payload reference, read Reference: Webhook Events.