Webhooks Are Live: Deliver Events to Your Endpoint
Webhooks are live. Pick the events you want, point them at your webhook endpoint, and receive verified, signed notifications about activity in your account.
Summary (TL;DR)
- Subscribe to specific events and receive POSTs to your endpoint.
- All payloads are protected by a signing secret you verify on your side.
- Unlimited plan users may set a custom signing secret up to 64 characters and receive up to 10,000 events/month.
Event contract and delivery
Short and practical:
- Events are JSON POSTs with
id,type,timestamp,version,account_id,resource, optionalactor, and adataobject containing event details. - Ellipticc Drive is end-to-end encrypted. Webhook payloads do not include plaintext file contents or user secrets; for file events the
dataobject contains only identifiers and metadata visible to the client (for example:id,mimetype,size,uploaded_at/modified_at,share_status). - Events are versioned and delivered at-least-once. Deduplicate using
idand design idempotent handlers.
Example payload:
{ "id": "evt_01F", "type": "file.uploaded", "version": "1", "timestamp": "2026-01-16T12:34:56Z", "account_id": "acct_01F", "resource": { "type": "file", "id": "file_01F" }, "actor": { "type": "user", "id": "user_01F" }, "data": { "mimetype": "image/jpeg", "size": 12345, "uploaded_at": "2026-01-16T12:30:00Z", "share_status": "private" }, "metadata": { "request_id": "d938d559-d31c-429f-865d-77fbcb233d52" }}Signing, replay protection, and verification
- Payloads are signed with HMAC-SHA256 over the raw body. Signature header:
X-Ellipticc-Signaturein the form<sig_id>=<hex>. - Verify signature using a timing-safe comparison and reject mismatches.
- Check
X-Ellipticc-Timestampto mitigate replay attacks; allow a small clock skew (±5 minutes).
Node.js verification (raw body required):
const crypto = require('crypto');function verify(secret, raw, header) { const [, hex] = header.split('='); const expected = crypto.createHmac('sha256', secret).update(raw).digest('hex'); return crypto.timingSafeEqual(Buffer.from(hex,'hex'), Buffer.from(expected,'hex'));}Delivery and retries
- Expect a JSON POST and reply 2xx on success. Non-2xx triggers retries with exponential backoff.
- We move undeliverable events to a dead-letter list you can inspect in the dashboard.
Test and debug
- Use the dashboard’s delivery log and test-event feature to validate handlers.
- Local testing: ngrok or requestbin are useful to inspect raw payloads and headers.
Security and quotas
- Use HTTPS-only endpoints, rotate signing secrets, and verify signatures before processing.
- For very sensitive events route them to a dedicated endpoint with tighter controls.
- Unlimited plan users can set a custom signing secret (up to 64 characters) and receive up to 10,000 events/month. Contact support for custom SLAs.
Quick setup
- Go to Dashboard → Settings → Developer → Webhooks.
- Click Add endpoint and enter your URL.
- Select the events you want to receive.
- Copy the signing secret, save it securely, and enable the endpoint (send test event to ensure everything’s okay).
All webhook payloads include a signature you should verify using the signing secret. Unlimited plan users can choose a custom signing secret (up to 64 characters) and receive up to 10,000 events per month. Lower plans have safe default signing secrets and tiered event quotas.
If you need higher throughput, custom fields, or private delivery options, contact support and we will work with you.
Important (Start automating now)
Hook Ellipticc events into your systems. Sign up and get started