# Webhooks Overview

> Source: https://truto.one/docs/guides/webhooks/overview/

Truto provides webhooks which can notify you of interesting events happening in your Truto account. They can also notify you about changes happening in the third party app integrations where Truto receives the webhook events from the integrations and proxies them to your endpoint in a unified format (coming soon).

> [Webhooks API reference](/docs/api-reference/admin/webhooks/list)

## Webhook endpoints

### HTTPS only
All webhook endpoints need to be HTTPS and need to support POST method.

## Security

### SHA256 Signature

Every request made to a webhook endpoint has `x-truto-signature` header which contains the SHA256 HMAC of the request body being sent. This helps you make sure that the requests are originating from Truto. The SHA256 HMAC uses a `secret` string (UUID) which is shared with you when the webhook is created. See [creating webhook endpoint](/docs/api-reference/admin/webhooks/create).

To prevent replay attacks, you can check the `created_at` attribute of the request body and ignore the webhook event if it's longer than a certain timeframe, there is also a unique `id` in the request body for each webhook event.

> See [verifying webhook events](/docs/guides/webhooks/processing-webhook-events#verification-of-the-webhook-event)

## Retries

Webhook endpoints need to respond with HTTP status code `200`. In case of 4XX and 5XX staus codes, Truto will retry 3 times with exponential backoff of maximum 10 seconds before giving up.

Prolonged failures from a webhook endpoint will automatically make the webhook endpoint inactive. Inactive webhooks have the `is_active` attribute to `false`. Inactive webhook endpoints will not receive any further events. We'll notify you via email when a webhook is marked as inactive.

## Logging (coming soon)

All the webhook deliveries will be logged and will be available via an API.