Webhooks

Owlat supports both outbound customer webhooks and inbound provider webhooks.

Outbound customer webhooks

Configure in Settings → Webhooks.

Supported outbound events:

• email.sent
• email.delivered
• email.opened
• email.clicked
• email.bounced
• email.complained
• contact.created
• list.unsubscribed

Delivery notes

• Endpoint must accept POST
• Use publicly reachable HTTP/HTTPS URLs
• Private/local network hosts are rejected
• Failed deliveries are tracked and can be retried

Signature verification

Webhook secrets use the whsec_... format and are generated at webhook creation.

Every delivery includes these headers:

Payload shape

{
  "event": "email.delivered",
  "timestamp": "2026-03-15T12:00:00.000Z",
  "data": { /* event-specific data */ }
}

Verification example (Node.js)

import crypto from 'crypto'

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex')
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  )
}

// In your webhook handler:
const payload = await request.text()
const signature = request.headers.get('X-Signature')!
const isValid = verifyWebhookSignature(payload, signature, webhookSecret)

Retry behavior

Failed deliveries are retried up to 3 attempts:

1. Immediate
2. After 1 minute
3. After 5 minutes

Each request has a 30-second timeout. Endpoints that resolve to private/local network IPs are rejected.

Inbound provider webhook route

Owlat receives provider status updates at:

POST /webhooks/resend

Handled provider events include:

• email.sent
• email.delivered
• email.delivery_delayed
• email.opened
• email.clicked
• email.bounced
• email.complained

These events update send status, contact activity, blocklist behavior, and campaign analytics.