Webhooks

Configure an HTTPS endpoint in the portal and we push delivery events as they happen with no polling. Payloads are signed with your webhook secret using HMAC-SHA256 over the raw body.

The email sandbox simulator can fire delivery, bounce, complaint, and suppression events before production sending. For the product overview, read the email webhooks guide. For the broader security overview, read NoticeAPI security and data practices.

Event types

email.deliveredMailbox accepted the message
email.bouncedHard bounce; recipient auto-suppressed
email.filteredspamMarked as spam; auto-suppressed
email.suppressedProvider-level suppression
email.quarantinedQuarantined by the receiving server
email.unsubscribedBroadcast recipient unsubscribed
email.receivedInbound message accepted for a verified receiving domain

Payload

delivery
POST https://yourapp.com/webhooks/email
x-noticeapi-event: email.bounced
x-noticeapi-signature: sha256=8f3a...

{
  "type": "email.bounced",
  "messageId": "0f83...",
  "recipient": "[email protected]",
  "timestamp": "2026-07-02T18:04:14.000Z",
  "detail": "550 5.1.1 mailbox unavailable",
  "accountId": "..."
}

Verify signatures

Always verify x-noticeapi-signature before trusting a payload. Your signing secret is shown on the Webhooks page.

verify.ts
import { createHmac, timingSafeEqual } from "node:crypto";

export function verifyNoticeSignature(rawBody: string, header: string, secret: string) {
  const expected = "sha256=" + createHmac("sha256", secret).update(rawBody).digest("hex");
  const a = Buffer.from(expected);
  const b = Buffer.from(header);
  return a.length === b.length && timingSafeEqual(a, b);
}

Delivery semantics

Events are sent with a 5-second timeout. Respond with any 2xx quickly and process async. Multiple endpoints can be configured from the portal; design each handler to be idempotent on messageId + type.