Search docs...Cmd+K

Overview Hosting Public WSS Self-hosted Model FAQ

DocsHosting

Webhook Security

How to operate webhook endpoints safely in production.

Baseline controls

Use per-webhook secrets and rotate them regularly.
Never store plain secrets after creation; only hashed secrets at rest.
Use provider event IDs to protect against duplicate deliveries.
Apply payload size limits and request rate limits.

Secret rotation runbook

Rotate secret from Settings → Webhooks.
Update sender integration with new value immediately.
Send one test webhook and verify status `processed`.
Audit payload history for unauthorized failures.

Header checklist

Required:
  X-Sutraha-Webhook-Secret

Recommended:
  X-Provider-Event-Id
  Content-Type: application/json