Webhooks
Receive real-time notifications about events in your Corridorly account
What are Webhooks?
Webhooks are HTTP callbacks that notify your application when specific events occur in Corridorly. Instead of continuously polling our API for updates, we push event data to your specified endpoint in real-time.
Event Occurs
Symphony completes, payment processes, approval decision made
Webhook Sent
We POST the event payload with cryptographic signature
You Respond
Verify signature, process event, return 2xx status
Delivery Tiers
Choose between Standard and Premium tiers based on your SLA requirements. Premium offers faster retries and dedicated infrastructure.
Standard Tier
Reliable delivery for non-critical notifications
Premium Tier
Faster delivery with dedicated infrastructure
Getting Started
Create an Endpoint
Set up an HTTPS endpoint that returns a 2xx status within the timeout window.
// Express.js exampleapp.post('/webhooks/corridorly',express.raw({ type: 'application/json' }),async (req, res) => {const signature = req.headers['x-corridorly-signature'] as string;const timestamp = req.headers['x-corridorly-timestamp'] as string;const payload = req.body.toString('utf8');// Verify signatureif (!verifySignature(payload, signature, timestamp)) {return res.status(401).send('Invalid signature');}// Process asynchronouslyprocessEventAsync(JSON.parse(payload)).catch(console.error);// Acknowledge immediatelyres.status(200).send('OK');});
Configure in Dashboard
Navigate to Settings → Webhooks and add your endpoint URL.
Store Your Secret
Save the 64-character signing secret immediately - it's only shown once.
Important
Store in environment variables immediately. If lost, rotate the secret.
URL Requirements
Webhook URLs must meet strict security requirements to prevent SSRF attacks.
Allowed
https://example.com/webhookhttps://api.example.com:8443Blocked
http://example.comhttps://192.168.1.1View detailed requirements
Allowed Protocols
- • HTTPS only (TLS 1.2+)
Allowed Ports
- • 443 (default)
- • 8443, 1025-65535
Blocked IPs
- • 10.x, 172.16-31.x, 192.168.x
- • 127.x, 169.254.x
Validation
- • DNS resolution required
- • IP blocklist checked
Event Types
Subscribe to all events or filter to specific types.
Symphony Execution Completed
Triggered when a symphony workflow finishes successfully
View payload
{"id": "evt_def456","timestamp": "2025-11-08T12:05:00Z","type": "Symphony Execution Completed","tenantId": "tenant_xyz","symphonyId": "symp_456","data": {"executionId": "exec_789","status": "success","result": { "success": true }}}
Payment Event
Triggered when a payment orchestration completes
View payload
{"id": "evt_jkl012","timestamp": "2025-11-08T12:10:00Z","type": "Payment Event","tenantId": "tenant_xyz","data": {"paymentId": "pay_123","amount": 1000,"currency": "USD","status": "succeeded"}}
Approval Decision Recorded
Triggered when an approver makes a decision
View payload
{"id": "evt_pqr678","timestamp": "2025-11-08T12:20:00Z","type": "approval.decision.recorded","tenantId": "tenant_xyz","data": {"approvalId": "apr_123","decision": "approved","decidedBy": "user_def"}}
Additional Events
Security & Verification
Always verify webhook signatures to ensure authenticity.
Request Headers
X-Corridorly-SignatureHMAC-SHA256 (64 chars)X-Corridorly-TimestampUnix timestamp (ms)Signature Format
signed_payload = timestamp + "." + json_body
signature = HMAC_SHA256(signed_payload, secret)import crypto from 'crypto';function verifyWebhookSignature(payload: string,signature: string,timestamp: string,secret: string): boolean {// 1. Validate timestamp (within 5 minutes)const currentTime = Date.now();const requestTime = parseInt(timestamp, 10);if (Math.abs(currentTime - requestTime) > 300000) {return false;}// 2. Create signed payloadconst signedPayload = `${timestamp}.${payload}`;// 3. Generate expected signatureconst hmac = crypto.createHmac('sha256', secret);hmac.update(signedPayload);const expectedSignature = hmac.digest('hex');// 4. Timing-safe comparisonreturn crypto.timingSafeEqual(Buffer.from(signature, 'hex'),Buffer.from(expectedSignature, 'hex'));}
Retry Behavior
Failed deliveries are automatically retried with exponential backoff.
Standard Schedule
Premium Schedule
Retry Triggers
Retried:
- • 5xx server errors
- • Network timeouts
- • Connection failures
Not retried:
- • 2xx success
- • 4xx client errors
- • Malformed webhooks
Best Practices
Respond Quickly
Return 2xx within timeout (10s/15s). Process asynchronously in background jobs.
Implement Idempotency
Store processed event IDs. Skip duplicate events using the 'id' field.
Always Verify Signatures
Never trust payloads without HMAC verification. Prevents spoofing attacks.
Monitor Health
Check delivery logs regularly. Set up alerts for failed deliveries.
Use HTTPS
Valid TLS certificate required. Self-signed certs will fail.
Troubleshooting
❌ Invalid signature
- • Check secret matches dashboard
- • Verify signing timestamp.body
- • Read raw request body
⏱️ Timeout errors
- • Return 200 OK immediately
- • Process events async
- • Upgrade to Premium (15s)
🔒 SSL errors
- • Use valid CA certificate
- • Check expiration date
- • No self-signed certs
Testing Webhooks
Using webhook.site
- Visit webhook.site for a test URL
- Configure as your webhook endpoint
- Watch requests appear in real-time
Using ngrok
# Install and start ngroknpm install -g ngrokngrok http 3000# Use the HTTPS URL as your webhook endpoint
Ready to get started?
Configure your webhook endpoint and start receiving real-time notifications.