Apply webhooks

In webhook mode (applyMode = 'webhook'), a completed import is delivered to your backend as an HTTP POST — HMAC-signed, retried durably, and recorded in a delivery audit log.

The request

POST /your/apply-endpoint
x-import-event: import.applied
x-import-delivery-id: dlv_4f2…
x-import-timestamp: 1717000000
x-import-signature: t=…,v1=hmac_sha256(body)…
content-type: application/json

{
  "event": "import.applied",
  "recordId": "rec_…",
  "action": "submit",
  "rowCount": 128,
  "mapping": { "Email": "person.email", "First name": "person.firstName" },
  "rows": [{ "person.email": "ada@example.com", "person.firstName": "Ada" }]
}

Verify the signature

Compute an HMAC-SHA256 over the raw request body using your delivery secret, and compare it in constant time to the v1 value in x-import-signature. The t= value is the signed timestamp — reject deliveries whose timestamp is too old to blunt replay attacks.

import { createHmac, timingSafeEqual } from 'node:crypto';

function verify(rawBody: string, header: string, secret: string): boolean {
  const parts = Object.fromEntries(header.split(',').map(kv => kv.split('=')));
  const expected = createHmac('sha256', secret).update(`${parts.t}.${rawBody}`).digest('hex');
  const got = Buffer.from(parts.v1 ?? '', 'hex');
  const exp = Buffer.from(expected, 'hex');
  return got.length === exp.length && timingSafeEqual(got, exp);
}

Verify before you trust

Always verify the signature and timestamp before acting on a delivery, and read the raw body bytes — re-serializing the JSON first will change the signature.

Retries & idempotency

Deliveries retry with backoff until your endpoint returns 2xx. Use x-import-delivery-id (or recordId) to dedupe — the same import may be delivered more than once.