Event types
Webhook payload
Webhook signing secret
Your webhook signing secret starts withnawa_wh_ and is generated when you register a webhook endpoint. Store it securely - it’s shown only once.
Signature verification
Every webhook request includes anX-NAWA-Signature header containing the HMAC-SHA256 signature of the request body.
Retry policy
If your endpoint returns a non-2xx status code, NAWA retries with exponential backoff:
After 10 consecutive failures, the webhook endpoint is automatically disabled and you’ll receive an email notification. Re-enable it from the dashboard after fixing the issue.
Testing webhooks
A dedicated webhook test-fire endpoint is planned. In the meantime, you can test your webhook handler by sending a POST request directly to your own endpoint with a sample payload matching the format above.