Skip to main content
Webhooks let your backend react to Rimp events without polling. Every payload is HMAC-signed; verify the signature before trusting it.

Events

Subscribing

Response (the secret is shown ONCE):
Use "*" in the events array to subscribe to everything.

Payload format

Always parse the id first — events are guaranteed unique per delivery attempt, so use it as your dedupe key.

Verifying the signature

Every delivery includes:
The signature is HMAC-SHA-256 over ${timestamp}.${rawBody} with your webhook secret as the key.

Retry policy

If your endpoint doesn’t return 2xx within 15s, Rimp retries with exponential backoff: After 6 attempts the delivery is marked exhausted. You can replay any delivery from the dashboard.

Best practices

  • Return 2xx fast. Acknowledge the event, then process async. Heavy work should never run in the webhook handler.
  • Dedupe by event.id. Same event can be delivered more than once during retries.
  • Verify before trusting. Don’t parse the body before checking the signature.
  • Pin the secret. Each webhook has its own whsec_…. Store it in your env per environment.
  • Listen for * in dev. Easier than subscribing to each event individually.