Webhooks
Subscribe to events. Every payload is HMAC SHA-256 signed. Failed deliveries retry with exponential backoff for up to 24 hours.
Set up an endpoint
- Go to Settings, Developers, Webhooks. Add an endpoint URL.
- Pick the events you want. Save to receive a signing secret.
- Verify the signature on every request before trusting the body.
Payload shape
// payload.jsonJSON
{
"id": "evt_01HE2VKQ8Z4M...",
"type": "canvas.block.added",
"created": 1746273600,
"data": {
"canvas_id": "cnv_8Gh2x4nQ",
"block": { "id": "blk_x9Q...", "type": "figma" }
}
}Verify the signature
// verify.tsTypeScript
const sig = req.headers["allo-signature"]
const ok = allo.webhooks.verify(raw, sig, secret)
if (!ok) return res.status(400).end()
// WARN · Use constant time compare
Don't compare signatures with == or strcmp. The SDK uses constant time compare under the hood.
Event reference
| Event | Description |
|---|
| canvas.created | A new canvas was created. |
| canvas.updated | Title, description, or block changes. |
| canvas.block.added | A block was dropped on the canvas. |
| canvas.block.removed | A block was deleted. |
| comment.created | New comment with pinned coordinates. |
| comment.resolved | Comment thread was resolved. |
| project.status_changed | Project moved between statuses. |
| goal.progress_updated | OKR progress changed. |
| member.invited | Member or guest accepted an invite. |
| share_link.viewed | Public share link was opened. |
Retry policy
Non 2xx responses retry on an exponential schedule: 30s, 2m, 10m, 1h, 4h, 12h, 24h. After 24h the event is dropped and surfaced in the dashboard.