Skip to main content
Webhooks are the preferred way to track envelopes — register an endpoint once and Atlas pushes lifecycle events to it, instead of you polling.

What you receive

Every transition in the envelope lifecycle emits an event, plus extraction results when requested. Deliveries are:
  • Signed — every delivery carries a signature so you can verify it came from Atlas. Reject any payload that doesn’t verify.
  • Retried — failed deliveries are retried.
  • Destination-validated — outbound destinations are validated to prevent Atlas being used as a request proxy.

Managing endpoints

From the dashboard you can:
  • Register and remove endpoints.
  • See delivery history per event.
  • Test-fire deliveries to confirm your handler before going live.

Verifying a delivery

Always verify the signature before trusting a payload:
1

Read the signature header

Each delivery includes a signature derived from the raw request body and your endpoint’s signing secret.
2

Recompute over the raw body

Compute the expected signature over the raw bytes of the request body — not a re-serialized object — using your signing secret.
3

Compare in constant time

Reject the delivery if the signatures don’t match. Respond 2xx only after you’ve durably accepted the event.
Preview and test environments cannot email real signers or hit real customer webhooks. Don’t point a production webhook endpoint at a non-production Atlas environment.
Make your handler idempotent: treat a repeated event ID as already-processed. Combined with retries, this guarantees at-least-once delivery never causes duplicate side effects.