Nomod
Get Nomod
Webhooks/Managing Webhooks

Webhooks

Managing Webhooks

This article covers how to manage a webhook after you create one. You can edit its details, rotate its signing secret, monitor event delivery, and delete it.

Editing a webhook

Update a webhook's name, URL, or selected events at any time.

  1. Go to Settings > Tools & customisations > Apps & APIs > Webhooks
  2. Select the webhook and tap Edit
  3. Update the name, URL, or selected events
  4. Tap Update

Deleting a webhook

Deleting a webhook stops all future event notifications to that endpoint. This action is permanent and cannot be undone.

  1. Go to Settings > Tools & customisations > Apps & APIs > Webhooks
  2. Select the webhook
  3. Tap Delete webhook
  4. Tap Delete to confirm

Your signing secret

Every webhook has a signing secret. Nomod uses it to sign every payload sent to your endpoint. You use it to verify that incoming requests came from Nomod and have not been altered.

To find your signing secret:

  1. Go to Settings > Tools & customisations > Apps & APIs > Webhooks
  2. Select the webhook
  3. Find the Signing secret field
  4. Tap the Copy icon to copy the secret

Your signing secret is masked by default.

Verifying webhook signatures

Every request Nomod sends to your endpoint is signed. Verifying the signature protects your endpoint from fake or altered payloads.

Each webhook request includes three headers:

  • svix-id: a unique ID for this specific webhook message
  • svix-timestamp: the time the webhook was sent, as a Unix timestamp
  • svix-signature: the signature to verify

If any of these headers are missing, your server should return a 400 response and reject the request.

To verify a signature:

  1. Extract the three svix headers from the incoming request
  2. Check that svix-timestamp is within five minutes of the current time. If the difference is more than five minutes, return a 400 response and reject the request
  3. Build the signed string by combining svix-id, svix-timestamp, and the raw request body, joined by dots: svix-id.svix-timestamp.raw_body
  4. Remove the whsec_ prefix from your signing secret, then Base64-decode the remaining string to get the raw secret bytes
  5. Compute HMAC-SHA256 using the raw secret bytes as the key and the signed string as the message, then Base64-encode the result
  6. Compare your computed signature against the value in svix-signature. Strip the v1, prefix first. If any signature in the header matches, the request is valid. If none match, return a 400 response
  7. Return a 200 OK response, then process the event

Rotating your signing secret

If you suspect your signing secret has been compromised, you can generate a new one immediately. Your old secret will remain valid for 24 hours after rotation, giving your server time to update before the old key stops working.

  1. Go to Settings > Tools & customisations > Apps & APIs > Webhooks
  2. Select the webhook
  3. Find the Signing secret field
  4. Tap the rotate icon
  5. Review the confirmation prompt and tap Generate to confirm

Copy your new signing secret and update your server code within 24 hours. After this window, the old secret expires, and any requests still using it will fail.

Viewing event logs

To view events for a specific webhook:

  1. Go to Settings > Tools & customisations > Apps & APIs > Webhooks
  2. Select the webhook
  3. Tap the Events tab

To view events across all your webhooks:

  1. Go to Settings > Tools & customisations > Apps & APIs > Webhooks
  2. Tap the Events tab

Getting event details

Tap any event in the list to open its detail view. You will see:

  • The event name and timestamp
  • The delivery status, integration type, Event Log ID, Webhook ID, and Webhook URL
  • The full event payload in JSON format

To save the event data, tap Copy or Download to export it as a JSON file.

To create a webhook, see How Webhooks Work.

Nomod