Webhooks

Subscribe to events instead of polling. We POST a JSON payload to your endpoint the moment something changes — signed so you can trust it.

Setup

Add an endpoint URL in your dashboard and pick the events to subscribe to. Each endpoint gets its own signing secret (whsec_…). Hit Send test to fire a sample webhook.test payload and confirm your receiver works.

Events

  • tracking.updated — a parcel changed status.
  • qc.batch.created — new QC photos landed for a product.
  • convert.resolved — an async conversion finished.

Payload

POST your-endpoint
{
  "event": "tracking.updated",
  "created": "2026-06-24T08:14:00Z",
  "data": {
    "tracking_id": "YT2530998211074512",
    "status": "in_transit",
    "eta": "2026-07-02"
  }
}

Verifying signatures

Every request carries an X-Reps-Signature header — an HMAC-SHA256 of the raw body using your webhook secret. Recompute it and compare before trusting the payload.

verify.ts
import { createHmac, timingSafeEqual } from "node:crypto";

function verify(raw: string, signature: string, secret: string) {
  const expected = createHmac("sha256", secret).update(raw).digest("hex");
  return timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}