webhooks send real-time notifications to your app when specific events occur. When you subscribe to an event, Sandbox delivers the payload directly to your endpoint.
For example, subscribing to tds.206-ab.done notifies you each time a 206AB job completes.
Set up your webhook url, subscribed events, and secret key in the Sandbox Console. See How to Configure Webhooks for step-by-step instructions.
Validate webhook signatures
When you configure a webhook secret, Sandbox generates a hash signature for each payload. Validate this signature to ensure the webhook is authentic.
Sandbox includes the signature in the x-sandbox-signature header using a base64-encoded hash-based message authentication code (HMAC) with SHA-256.
const crypto = require('crypto');
function validateWebhook(payload, signature, secret) {
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(JSON.stringify(payload))
.digest('base64');
return signature === expectedSignature;
}
// In your webhook handler
app.post('/webhook', (req, res) => {
const signature = req.headers['x-sandbox-signature'];
const isValid = validateWebhook(req.body, signature, WEBHOOK_SECRET);
if (!isValid) {
return res.status(401).send('Invalid signature');
}
// Process webhook
res.status(200).send('OK');
});
Always validate webhook signatures before processing the payload to prevent unauthorized requests.
