Setup
- Open Administration → API Access → Webhooks in the Asset Manager dashboard
- Create a webhook with your HTTPS endpoint URL
- Select the events you want to receive
- Copy the signing secret
Delivery pipeline
- Events are written to a webhook outbox table
- A message is queued to SQS for delivery
- The delivery worker POSTs to your URL with signed headers
- Each attempt is logged (status code, response body, success/failure)
- Failed deliveries are retried automatically
Reliability
| Setting | Value |
|---|---|
| Request timeout | 5 seconds |
| Max retries per delivery | 5 |
| Retry delay | 60s first retry, then +40s each time |
| Auto-disable threshold | 5 consecutive delivery failures |
| Failure notifications | Email sent to tenant admins on every failed delivery |
Delivery failures
A delivery counts as a failure when:- Your endpoint does not respond within 5 seconds
- Your endpoint returns a non-2xx HTTP status
- The connection cannot be established (DNS, TLS, or network error)
Retry schedule
Retries use incremental backoff. The first retry waits 60 seconds; each subsequent retry adds 40 seconds:| After failed attempt | Wait before next retry |
|---|---|
| 1st | 60 seconds |
| 2nd | 100 seconds |
| 3rd | 140 seconds |
| 4th | 180 seconds |
60 + (attempt − 1) × 40 seconds.
After the 5th failed attempt, the event is not retried further and may move to a dead-letter queue for investigation.
Failure notifications
Tenant administrators receive an email on every failed delivery. The email includes:- Webhook name and URL
- Event type that failed to deliver
- HTTP status (or
unreachableif no response) - Current consecutive failure count (e.g.
3 of 5)
Auto-disable
After 5 consecutive delivery failures for the same webhook:- The webhook status is set to DISABLED
- No further events are delivered to that endpoint
- Tenant administrators receive a final email confirming the disable
0.
Re-enable the webhook in Administration → API Access → Webhooks after fixing your endpoint. Verify your server accepts signed POST requests and returns 2xx within the timeout.
Request format
Every delivery is an HTTPPOST with a JSON body:
Headers
| Header | Description |
|---|---|
content-type | application/json |
x-st-event | Event type (e.g. order.created) |
x-st-webhook-id | Outbox delivery ID |
x-st-signature | HMAC-SHA256 hex signature of the raw body |
x-st-signature-alg | HMAC_SHA256_HEX |
Next steps
Signature verification
Verify that events are authentic.
Event catalog
All supported events and payload fields.

