Webhooks
Receive real-time push notifications when new high-signal events are scored. Webhooks are HMAC-signed and retried with exponential backoff.
Setup
- Create an HTTPS endpoint on your side that accepts
POST. - In
/app/developer, click Add webhook; paste the URL. - The signing secret is shown once. Save it; you'll use it to verify each request.
Headers we send
http
POST /your-webhook HTTP/1.1
Content-Type: application/json
User-Agent: IntelligenceWebhook/1.0
X-Intelligence-Event: signal.created
X-Intelligence-Delivery: 0e9c…(uuid)
X-Intelligence-Signature: t=1747260000,v1=<hex sha256>Verifying the signature
The signature is HMAC-SHA256(`$${ts}.$${rawBody}`, signingSecret). Reject any request older than 5 minutes (replay window).
js
import crypto from 'node:crypto'
function verify(rawBody, header, secret) {
const m = /^t=(\d+),v1=([0-9a-f]+)$/.exec(header ?? '')
if (!m) return false
const [, ts, sig] = m
// Replay protection: drop anything older than 5 minutes
if (Math.abs(Date.now() / 1000 - Number(ts)) > 300) return false
const expected = crypto
.createHmac('sha256', secret)
.update(`${ts}.${rawBody}`)
.digest('hex')
return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))
}Payload
json
{
"event": "signal.created",
"data": {
"signal": { "id": "…", "signal_score": 84, "importance_score": 92, "…": "…" },
"contract": { "id": "CONT_AWD_…", "ticker": "LMT", "…": "…" }
},
"ts": 1747260000123
}Retry policy
Any non-2xx response triggers a retry. We attempt up to 6 times with exponential backoff: 30s · 1m · 2m · 4m · 8m. After that the delivery is marked failedand visible in your dashboard.
Security
- Only HTTPS URLs are accepted; non-HTTPS or RFC1918 addresses are blocked.
- Treat the signing secret like an API key — never expose it client-side.
- Rotate the secret by deleting the webhook and re-creating it.