Webhooks
Subscribe to events instead of polling. We POST a JSON payload to your endpoint the moment something changes — signed so you can trust it.
Setup
Add an endpoint URL in your dashboard and pick the events to subscribe to. Each endpoint gets its own signing secret (whsec_…). Hit Send test to fire a sample webhook.test payload and confirm your receiver works.
Events
tracking.updated— a parcel changed status.qc.batch.created— new QC photos landed for a product.convert.resolved— an async conversion finished.
Payload
POST your-endpoint
{
"event": "tracking.updated",
"created": "2026-06-24T08:14:00Z",
"data": {
"tracking_id": "YT2530998211074512",
"status": "in_transit",
"eta": "2026-07-02"
}
}Verifying signatures
Every request carries an X-Reps-Signature header — an HMAC-SHA256 of the raw body using your webhook secret. Recompute it and compare before trusting the payload.
verify.ts
import { createHmac, timingSafeEqual } from "node:crypto";
function verify(raw: string, signature: string, secret: string) {
const expected = createHmac("sha256", secret).update(raw).digest("hex");
return timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}