Skip to main content

Webhook Signature, Acceptance and Retries

Webhook Signature

Webhooks are signed with an HMAC using the SHA256 algorithm. The header Sezzle-Signature value is a hash of the webhook's body with your merchant private key.

You should always verify that the signature matches the webhook data to ensure that the webhook came from Sezzle.

Webhook Acceptance and Retries

A webhook has been successfully sent when we receive an HTTP 200 Status OK response. Any other response will queue the webhook to be retried. We will retry several times within the first hour, and a few times for the remainder of that day. The final two attempts are made one day later, and then 3 days later, for a total elapsed time of five days.

If the final retry fails, then that subscribed webhook will be deleted for all events. You will need to create the webhook again to resubscribe, if desired.

It is possible that new webhooks will arrive before old webhooks have been retried, so webhooks are not guaranteed to be received in cronological order. Webhooks are signed using the current merchant private key, not the private key at the time of their creation, so a retried webhook may have a different signature if the keys are changed after its originating event.