Receiving Events via Webhook

To start receiving events via webhook, email us the URL you’d like Sibi to send requests to. We will POST to this endpoint.

Authentication

Once your server is configured to receive payloads, it’ll listen for any payload sent to the endpoint you configured. For security reasons, you’ll want to limit requests to those coming from Sibi.

When you email us your endpoint URL you can send us a secret, or request that we generate a secret on your behalf that we will later send you. If you want to generate this secret yourself, it should be a random string with high entropy. One way to generate this would be to run ruby -rsecurerandom -e 'puts SecureRandom.hex(20)', for example. If you choose to use a secret, we will calculate a sha256 hash using your secret and set it in the HTTP_X_SIBI_SIGNATURE_256 http header sent with the webhook. For an example of how to verify this hash see below.

Verify payload signature

const webhookSignature = req.get('HTTP_X_SIBI_SIGNATURE_256');
const hash = crypto.createHmac('sha256', secret).update(req.rawBody, 'utf8').digest('base64')`;
const isValid = hash === webhookSignature;

Ensuring You Receive Events

If a webhook request fails, we will retry 5 times with a backoff before permanently failing.

Filtering Events

The HTTP request will contain a topic header that can be used to route the request without parsing the body. The body of all webhook requests will have the following format:

{
  "topic": "topic.name",
  "data": <topic-dependent>
}

The format under “data” will differ by topic and will generally contain the most up to date version of whatever resource type the event is about.

It currently emits the following topics: