Skip to main content
Receive real-time notifications when events occur in your NAWA account. Webhooks use HMAC-SHA256 signatures for security.

Event types

Webhook payload

Webhook signing secret

Your webhook signing secret starts with nawa_wh_ and is generated when you register a webhook endpoint. Store it securely - it’s shown only once.

Signature verification

Every webhook request includes an X-NAWA-Signature header containing the HMAC-SHA256 signature of the request body.
Always verify webhook signatures before processing events. Never trust the payload without signature validation.

Retry policy

If your endpoint returns a non-2xx status code, NAWA retries with exponential backoff: After 10 consecutive failures, the webhook endpoint is automatically disabled and you’ll receive an email notification. Re-enable it from the dashboard after fixing the issue.

Testing webhooks

A dedicated webhook test-fire endpoint is planned. In the meantime, you can test your webhook handler by sending a POST request directly to your own endpoint with a sample payload matching the format above.