Webhooks
Receive real-time HTTP callbacks when email events occur in Taifa Mail.
Webhooks let you receive real-time notifications about email events by POSTing JSON payloads to a URL you control. Instead of polling the API, your server gets notified the moment something happens.
Setting up a webhook
Via the dashboard
- Go to Settings → Webhooks.
- Click Add Webhook.
- Enter your endpoint URL (must be HTTPS).
- Select the events you want to receive.
- Click Save.
Via the API
The create response includes the webhook's id, url, events, secret, is_active flag, and created_at. Store the secret - you need it to verify incoming requests.
List all webhooks:
A webhook can be updated with PATCH /v1/webhooks/{id} (change url, events, or is_active) and removed with DELETE /v1/webhooks/{id}.
Events
A webhook subscribes to a list of event-type strings. Only events whose type is in the webhook's events array are delivered. Event types use the email.<event> form, for example email.sent, email.delivered, email.opened, email.clicked, email.bounced, email.failed.
Payload format
Each delivery is a POST with a JSON body shaped like this:
type is the event type, email_id is the email the event belongs to, and data carries any event-specific metadata.
Every request also carries these headers:
| Header | Value |
|---|---|
X-TaifaMail-Event | The event type (same as type in the body). |
X-TaifaMail-Delivery-ID | The unique ID of this delivery attempt. |
X-TaifaMail-Signature | HMAC-SHA256 signature of the body (see below). |
Retry policy
A delivery is treated as successful only when your endpoint responds with a 2xx status. A non-2xx response, a timeout (30-second limit), or a connection error counts as a failure and is retried:
| Attempt | Delay before retry |
|---|---|
| 1 | 1 minute |
| 2 | 5 minutes |
| 3 | 30 minutes |
| 4 | 2 hours |
| 5 | 8 hours |
After five retries are exhausted, Taifa Mail stops retrying that delivery and sends you an in-app notification so you can fix the endpoint. Every attempt is recorded - see the webhook's deliveries below.
Inspecting deliveries
Each attempt is logged as a delivery with its status, the HTTP response code, the attempt number, and the next scheduled retry.
Fetch a single attempt - including the full payload and response body - with GET /v1/webhooks/{webhook_id}/deliveries/{delivery_id}.
Verifying webhook signatures
Every webhook request includes an X-TaifaMail-Signature header. Verify it to ensure the request came from Taifa Mail and was not tampered with.
The header value is sha256= followed by the HMAC-SHA256 hex digest of the raw request body, signed with your webhook's secret (returned when you create the webhook).
Always verify the X-TaifaMail-Signature header before processing webhook payloads. Without verification, an attacker could forge webhook requests to your endpoint.
Testing webhooks
Use a service like webhook.site to get a temporary URL for testing. Add it as a webhook endpoint and inspect the payloads it receives.
Click Send Test next to any webhook in the dashboard (or call POST /v1/webhooks/{webhook_id}/test) to queue a sample email.delivered delivery without sending a real email. The test delivery appears in the webhook's deliveries like any other.