Reference

Verifying signatures

HMAC-SHA256 with replay protection.

POST/api/v1/webhooks/{webhookId}/test

Each webhook request carries Plurall-Signature: t=<unix>, v1=<hex>. Compute HMAC over `${t}.${rawBody}` and compare in constant time.

curl -X POST https://api.plurall.tech/api/v1/webhooks/wh_123/test \
  -H "Authorization: Bearer pl_sbx_key_..."

OpenAPI source

Send a signed test event

testWebhookEndpoint

Scopes

webhooks:manage

Request

none

Response

202 WebhookDelivery

This method/path/schema block is rendered from the shared OpenAPI registry, not hand-authored page copy.

Clock drift

Reject requests where `t` differs from your server clock by more than 5 minutes. This window protects against replay while tolerating reasonable clock skew.

← Docs index Try in sandbox