# Webhook events

Configure webhook endpoints in **Dashboard → Settings → Integrations** to receive event notifications.

## Verifying signatures

Every webhook request includes an `X-LiveLayer-Signature` header — an HMAC-SHA256 of the raw body keyed on your webhook secret.

```ts title="verify.ts"
import { createHmac, timingSafeEqual } from "node:crypto";

export function verify(rawBody: string, signature: string, secret: string): boolean {
  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
  const a = Buffer.from(expected);
  const b = Buffer.from(signature);
  return a.length === b.length && timingSafeEqual(a, b);
}
```

> [!WARNING]
> Always verify signatures before trusting webhook payloads. Anyone can POST to your endpoint URL.

## Event catalog

<!-- omitted: EventTable -->

## Delivery and retries

- Events POST to your URL with `Content-Type: application/json`.
- Expected response: `2xx` within 5 seconds.
- On non-2xx or timeout, we retry with exponential backoff: 1m, 5m, 30m, 2h, 6h, 24h. After that, the event is dropped.
- Idempotency: every event has a unique `id` you can use to dedupe.