Skip to content
Inbox OSS
Help Center

Webhooks

Setting up signed webhooks

Webhooks are signed with Ed25519. Every request includes X-Inbox-Signature (base64) and X-Inbox-Timestamp (Unix seconds).

Get your public key. Settings → Webhooks → Verification Key. Rotates quarterly with 30-day overlap.

Verify on receipt. The signed message is timestamp + "." + raw body. Use any Ed25519 library (nacl/tweetnacl/cryptography). Reject if timestamp is older than 5 minutes.

Acknowledge. Return 2xx as quickly as possible. We treat anything else as failure and retry with exponential backoff for 24 hours.

Replay. The dashboard's Webhooks → History tab lets you re-fire any event manually for testing.

Still stuck? We're here.

Free plan includes 3,000 emails/month forever. No credit card required.