Events
Subscribing
secret is shown ONCE):
"*" in the events array to subscribe to everything.
Payload format
id first — events are guaranteed unique per delivery attempt, so use it as your dedupe key.
Verifying the signature
Every delivery includes:${timestamp}.${rawBody} with your webhook secret as the key.
Retry policy
If your endpoint doesn’t return 2xx within 15s, Rimp retries with exponential backoff:
After 6 attempts the delivery is marked
exhausted. You can replay any delivery from the dashboard.
Best practices
- Return 2xx fast. Acknowledge the event, then process async. Heavy work should never run in the webhook handler.
- Dedupe by
event.id. Same event can be delivered more than once during retries. - Verify before trusting. Don’t parse the body before checking the signature.
- Pin the secret. Each webhook has its own
whsec_…. Store it in your env per environment. - Listen for
*in dev. Easier than subscribing to each event individually.