Events

Webhooks deliver JSON payloads for key events:

ticket.created, ticket.assigned, ticket.closed
moderation.action_taken
sla.breached

Signatures

Each request includes X-Stavent-Timestamp and X-Stavent-Signature. The signature is an HMAC-SHA256 of:

Signing string

v1:{timestamp}:{raw_body}

Warning

Always verify the timestamp (replay protection) and compare signatures using a constant-time comparison.

Retries and idempotency

Webhooks retry with exponential backoff for up to 24 hours. Stavent includes an event id (id) you should use for idempotency.

Examples

ticket.closed payload (example)

{
  "id": "evt_01H...",
  "type": "ticket.closed",
  "createdAt": "2025-12-01T12:30:00Z",
  "data": {
    "ticketId": "tkt_9f3b...",
    "status": "closed",
    "resolution": "refund",
    "tags": ["billing"]
  }
}

Local testing

Keep raw body bytes intact when computing the HMAC. Some frameworks parse JSON and re-serialize it differently.