Skip to content
AM

Webhook overview

InBlack has provider-owned inbound callbacks and a customer-configurable Studio outbound webhook. Each route has its own authentication, payload, and retry contract; there is no universal webhook envelope across all providers.

Inbound callbacks

The generated HTTP inventory classifies registered provider callbacks, including Stripe receivers and other integration-specific webhook routes. Verify each provider with its documented signature scheme and secret. For example, Stripe callbacks use Stripe’s SDK/signature contract; they do not use the Studio outbound header.

See Stripe webhooks inbound and Additional providers for the source-backed routes.

Studio outbound webhook

Studio lets a site owner register an event name, public HTTP(S) URL, optional signing secret, and active flag. The UI currently offers deployment.live, deployment.failed, order.created, and form.submitted.

The checked-in dispatcher currently delivers only form.submitted. The other event names can be stored by the UI, but no reviewed source path dispatches them. Do not build a customer integration that depends on those names until a delivery producer exists.

Successful delivery requires a 2xx. The dispatcher retries network errors, 408, 429, and 5xx, up to three total attempts with 1-second then 2-second delays. Other non-2xx responses fail without retry. Requests time out after 10 seconds and redirects are not followed.

The destination validator allows only HTTP(S), resolves DNS before dialing, and rejects local, private, link-local, multicast, documentation, and other blocked address ranges.

Delivery headers

Studio sends:

Content-Type: application/json
User-Agent: inblack-webhook-delivery/1.0
X-InBlack-Event: form.submitted
X-InBlack-Site-ID: <site UUID>
X-InBlack-Delivery-ID: <delivery UUID>
X-InBlack-Signature: sha256=<hex digest> # only when a secret is configured

The delivery record tracks queued, retrying, delivered, or failed state plus attempt count, status code, a bounded response body, and the last error. The current UI displays recent delivery state; it does not expose a manual redelivery action.

See Studio site webhooks for the payload and Verifying signatures for the exact HMAC check.