Skip to content

Webhooks Overview

Truto provides webhooks which can notify you of interesting events happening in your Truto account. They can also notify you about changes happening in the third party app integrations where Truto receives the webhook events from the integrations and proxies them to your endpoint in a unified format (coming soon).

Webhooks API reference

Webhook endpoints

HTTPS only

All webhook endpoints need to be HTTPS and need to support POST method.


SHA256 Signature

Every request made to a webhook endpoint has x-truto-signature header which contains the SHA256 HMAC of the request body being sent. This helps you make sure that the requests are originating from Truto. The SHA256 HMAC uses a secret string (UUID) which is shared with you when the webhook is created. See creating webhook endpoint.

To prevent replay attacks, you can check the created_at attribute of the request body and ignore the webhook event if it's longer than a certain timeframe, there is also a unique id in the request body for each webhook event.

See verifying webhook events


Webhook endpoints need to respond with HTTP status code 200. In case of 4XX and 5XX staus codes, Truto will retry 3 times with exponential backoff of maximum 10 seconds before giving up.

Prolonged failures from a webhook endpoint will automatically make the webhook endpoint inactive. Inactive webhooks have the is_active attribute to false. Inactive webhook endpoints will not receive any further events. We'll notify you via email when a webhook is marked as inactive.

Logging (coming soon)

All the webhook deliveries will be logged and will be available via an API.