Skip to content
QSign QSign Docs

Webhooks

Webhooks let QSign push events to your server the moment something happens — instead of you polling status.

Register an endpoint

Section titled “Register an endpoint”

Save your HTTPS endpoint with POST /webhook/save/ (or in the Developer portal). The URL must be public HTTPS — internal/loopback URLs are rejected by SSRF protection.

Verify the signature

Section titled “Verify the signature”

Every delivery carries an HMAC signature computed with your webhook secret. Verify it over the raw request body before trusting the payload:

import hmac, hashlib
expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest()
assert hmac.compare_digest(expected, received_signature)

Reveal or rotate the secret in the Developer portal. Respond 2xx quickly; QSign records every delivery attempt (event, target URL, attempts, status code, success) so you can inspect failures.

Test it

Section titled “Test it”

Use Send test event in the Developer portal to fire a synthetic webhook.test payload at your endpoint — it shows up in the delivery log like any real event.