> ## Documentation Index
> Fetch the complete documentation index at: https://developer.sandbox.co.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhooks

> Receive real-time notifications when events occur in your Sandbox account.

webhooks send real-time notifications to your app when specific events occur. When you subscribe to an event, Sandbox delivers the payload directly to your endpoint.

For example, subscribing to `tds.206-ab.done` notifies you each time a 206AB job completes.

## Configure webhooks

Set up your webhook url, subscribed events, and secret key in the Sandbox Console. See [How to Configure Webhooks](https://help.sandbox.co.in/portal/en/kb/articles/configure-a-webhook) for step-by-step instructions.

## Validate webhook signatures

When you configure a webhook secret, Sandbox generates a hash signature for each payload. Validate this signature to ensure the webhook is authentic.

Sandbox includes the signature in the `x-sandbox-signature` header using a base64-encoded hash-based message authentication code (HMAC) with SHA-256.

<CodeGroup>
  ```javascript JavaScript theme={null}
  const crypto = require('crypto');

  function validateWebhook(payload, signature, secret) {
    const expectedSignature = crypto
      .createHmac('sha256', secret)
      .update(JSON.stringify(payload))
      .digest('base64');
    
    return signature === expectedSignature;
  }

  // In your webhook handler
  app.post('/webhook', (req, res) => {
    const signature = req.headers['x-sandbox-signature'];
    const isValid = validateWebhook(req.body, signature, WEBHOOK_SECRET);
    
    if (!isValid) {
      return res.status(401).send('Invalid signature');
    }
    
    // Process webhook
    res.status(200).send('OK');
  });
  ```

  ```python Python theme={null}
  import hmac
  import hashlib
  import base64
  import json

  def validate_webhook(payload, signature, secret):
      expected_signature = base64.b64encode(
          hmac.new(
              secret.encode(),
              json.dumps(payload).encode(),
              hashlib.sha256
          ).digest()
      ).decode()
      
      return signature == expected_signature

  # In your webhook handler
  @app.route('/webhook', methods=['POST'])
  def handle_webhook():
      signature = request.headers.get('x-sandbox-signature')
      is_valid = validate_webhook(request.json, signature, WEBHOOK_SECRET)
      
      if not is_valid:
          return 'Invalid signature', 401
      
      # Process webhook
      return 'OK', 200
  ```
</CodeGroup>

<Warning>
  Always validate webhook signatures before processing the payload to prevent unauthorized requests.
</Warning>
