Skip to main content

Verifying Signatures

Webhook signatures let you verify that webhook messages are actually sent by us and not a malicious actor. Verifying webhooks is optional but recommended. For a more detailed explanation, check out this article on why you should verify webhooks. Our webhook partner Svix offers a set of useful libraries that make verifying webhooks very simple. Here is a an example using Javascript: 
import { Webhook } from "svix";

// You can get this secret from the Webhook Configuration in the telli dashboard
const secret = "whsec_GET_THIS_FROM_THE_DASHBOARD";

// These were all sent from the server
const headers = {
  "svix-id": "msg_p5jXN8AQM9LWM0D4loKWxJek",
  "svix-timestamp": "1614265330",
  "svix-signature": "v1,g0hM9SsE+OTPJTGt/tmIKtSyZlE3uFJELVlNIOLJ1OE=",
};
const payload = '{"test": 2432232314}';

const wh = new Webhook(secret);
// Throws on error, returns the verified content on success
const payload = wh.verify(payload, headers);
For instructions for verifying signatures, check out their webhook verification documentation. The docs include examples in JavaScript, Python, Go, Java, PHP and other languages.

Retries

Automatic Retries

We attempts to deliver each webhook message based on a retry schedule with exponential backoff. The schedule Each message is attempted based on the following schedule, where each period is started following the failure of the preceding attempt:
  • Immediately
  • 5 seconds
  • 5 minutes
  • 30 minutes
  • 2 hours
  • 5 hours
  • 10 hours
  • 10 hours (in addition to the previous)
If an endpoint is removed or disabled delivery attempts to the endpoint will be disabled as well. For example, an attempt that fails three times before eventually succeeding will be delivered roughly 35 minutes and 5 seconds following the first attempt.

Manual retries

You can also use the webhook portal to manually retry each message at any time, or automatically retry (“Recover”) all failed messages starting from a given date.