Webhooks Overview

Tenreply uses REST Hooks — you register a target URL for a specific event, and Tenreply POSTs to that URL whenever the event fires. This is the same mechanism used by the Zapier integration.

Subscribing

curl -X POST https://api.tenreply.com/api/webhooks/subscriptions \
  -H "Authorization: Bearer trl_live_..." \
  -H "Content-Type: application/json" \
  -d '{ "event": "message.received", "targetUrl": "https://your-server.com/hook" }'

Response:

{ "id": "sub_abc123", "event": "message.received", "secret": "abcdef1234..." }

Save the id — you need it to unsubscribe. Save the secret — use it to verify signatures.

Unsubscribing

curl -X DELETE https://api.tenreply.com/api/webhooks/subscriptions/sub_abc123 \
  -H "Authorization: Bearer trl_live_..."

Verifying signatures

Every delivery includes an X-Tenreply-Signature header containing sha256=<hmac>. Compute the HMAC yourself and compare:

const crypto = require('crypto');

function verifySignature(body, signature, secret) {
  const expected = 'sha256=' + crypto.createHmac('sha256', secret).update(body).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}

Reject requests where the signature doesn’t match.

Retries

If your endpoint returns a non-2xx status code, Tenreply retries up to 5 times with exponential backoff (5s, 10s, 20s, 40s, 80s). Return 200 OK as fast as possible and process the payload asynchronously.

Return 410 Gone to permanently cancel the subscription.