Registering a webhook
Settings → Webhooks → + New endpoint. Specify the URL, choose events, and the platform issues a signing secret. All notifications are signed; verify before you trust.
Available events
delivery.sent— provider acknowledged dispatchdelivery.delivered— recipient confirmationdelivery.failed— permanent failureautomation.activated/automation.pausedbilling.paid— Midtrans settlementbilling.failedmembership.created— invite accepted
Payload shape
POST your-endpoint
{
"id": "evt_2H8sMvkJ9",
"type": "delivery.delivered",
"workspace": "ws_aurora",
"timestamp": "2026-05-20T14:10:31Z",
"data": {
"deliveryAttemptId": "att_4xQ…",
"channel": "WHATSAPP",
"toAddress": "+62812…",
"providerMessageId": "wamid…"
}
}Signing
Each request carries an X-Novusflow-Signature header — HMAC-SHA-256 of the raw body keyed by the secret. Verify with:
node
import { createHmac, timingSafeEqual } from "node:crypto";
function verify(rawBody: string, header: string, secret: string) {
const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
return timingSafeEqual(Buffer.from(expected), Buffer.from(header));
}Delivery + retries
We retry non-2xx responses with exponential back-off for 24 hours, then dead-letter. Expect at-least-once delivery — idempotency keys are baked into every payload (the id field).