Skip to main content

Webhooks

Register webhook endpoints (HTTPS only) in the portal to receive events instead of polling.

Delivery: POST with a JSON body and a signature header:

X-Laabam-Signature: t=1718271000,v1=5257a869e7ec...   # HMAC-SHA256
X-Laabam-Event: invoice.paid

Verify before trusting (pseudocode):

signed_payload = "{t}.{raw_request_body}"
expected = HMAC_SHA256(webhook_signing_secret, signed_payload)
reject if not constant_time_equals(expected, v1)
reject if abs(now - t) > 5 minutes      # replay protection

Event payload:

{
  "id": "evt_9a8b7c6d",
  "type": "invoice.paid",
  "created_at": "2026-06-13T09:30:00Z",
  "data": { /* the resource object */ }
}

Events (initial set): invoice.created, invoice.paid, invoice.voided, payment.recorded, customer.created, message.delivered, message.failed.

Retries: non-2xx responses are retried with exponential backoff for up to 24h. Respond 2xx within 5s and process asynchronously. Use the event id to dedupe.