Webhook Signature

  • Secured with HMAC-SHA256 signature.
  • Sezzle-Signature header contains a hash of the webhook body, generated using the merchant private key.
  • Always verify the signature matches the webhook data to confirm it originates from Sezzle.

Webhook Acceptance and Retries

  • Considered delivered upon receiving an HTTP 200 Status OK response.
  • Non-200 responses trigger retries:
    • Multiple attempts in the first hour.
    • A few attempts throughout the day.
    • Final attempts one day and three days later, spanning five days total.
  • If the final retry fails, the webhook subscription is deleted for all events.
  • To resume receiving webhooks, recreate the webhook.
  • Webhooks may not arrive in chronological order, as new ones can be sent before retries of older ones.
  • Retried webhooks use the current merchant private key for signing, so the signature may differ from the original if the key has changed.