Webhooks

Receive real-time notifications when events occur in your Rebased account.

How Webhooks Work

When something happens in Rebased (e.g., an invoice is created), we send an HTTP POST request to your specified URL with details about the event. Your server can then process this data automatically.

Creating a Webhook

1. Go to Settings → Integrations in your Rebased account
2. Click the Webhooks tab
3. Click Create Webhook
4. Enter a name and optional description
5. Enter your destination URL (must be HTTPS in production)
6. Select the events you want to receive
7. Click Create Webhook

Your signing secret will be displayed once. Copy it immediately — you’ll need it to verify webhook signatures.

Available Events

Webhook Payload

Each webhook delivery includes:

{
  "event_type": "invoice.created",
  "event_id": "evt_abc123",
  "timestamp": "2026-03-08T12:00:00Z",
  "data": {
    "id": "inv_xyz789",
    "business_id": "bus_123",
    // ... event-specific data
  }
}

Verifying Signatures

Every webhook request includes a signature header to verify it came from Rebased. Always verify signatures before processing webhooks.

Headers

Verification Example

import hmac
import hashlib
 
def verify_signature(payload, signature, timestamp, secret):
    # Construct the signed payload
    signed_payload = f"{timestamp}.{payload}"
    
    # Calculate expected signature
    expected = hmac.new(
        secret.encode(),
        signed_payload.encode(),
        hashlib.sha256
    ).hexdigest()
    
    # Compare signatures
    return hmac.compare_digest(expected, signature)

const crypto = require('crypto');
 
function verifySignature(payload, signature, timestamp, secret) {
  const signedPayload = `${timestamp}.${payload}`;
  const expected = crypto
    .createHmac('sha256', secret)
    .update(signedPayload)
    .digest('hex');
  
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signature)
  );
}

Managing Webhooks

Testing a Webhook

Click the Test button on any webhook to send a test event. This helps verify your endpoint is receiving and processing webhooks correctly.

Pausing a Webhook

If you need to temporarily stop receiving events:

1. Find the webhook in Settings → Integrations → Webhooks
2. Click the Pause button

Paused webhooks won’t receive events until resumed.

Rotating the Signing Secret

If your signing secret is compromised:

1. Find the webhook in Settings → Integrations → Webhooks
2. Click Rotate Secret
3. Copy the new secret immediately
4. Update your server with the new secret

The old secret is immediately invalidated.

Deleting a Webhook

1. Find the webhook in Settings → Integrations → Webhooks
2. Click the Delete button
3. Confirm the action

Deleted webhooks cannot be restored.

Retry Policy

If your endpoint returns an error (non-2xx status code) or times out, we’ll retry the delivery:

After 5 failed attempts, the delivery is marked as failed. You can manually retry failed deliveries from the webhook details page.

Best Practices

• Respond quickly — Return a 2xx response within 30 seconds
• Process asynchronously — Queue webhook data for background processing
• Verify signatures — Always verify the X-Rebased-Signature header
• Handle duplicates — Use the X-Rebased-Delivery header to deduplicate
• Use HTTPS — Production endpoints must use HTTPS

Who Can Manage Webhooks

Webhooks can be created and managed by:

• Business Admins — Full access to all integrations
• Advisors — Can manage integrations for client businesses they have access to

Team members with other roles cannot create or view webhooks.