Webhooks

Configure an HTTPS endpoint in the portal and we push delivery events as they happen — no polling. Payloads are signed with your webhook secret using HMAC-SHA256 over the raw body.

Event types

email.deliveredMailbox accepted the message
email.bouncedHard bounce — recipient auto-suppressed
email.filteredspamMarked as spam — auto-suppressed
email.suppressedProvider-level suppression
email.quarantinedQuarantined by the receiving server
email.openedOpen tracked (when tracking enabled)
email.clickedLink click tracked
email.unsubscribedBroadcast recipient unsubscribed

Payload

delivery
POST https://yourapp.com/webhooks/email
x-noticeapi-event: email.bounced
x-noticeapi-signature: sha256=8f3a...

{
  "type": "email.bounced",
  "messageId": "0f83...",
  "recipient": "[email protected]",
  "timestamp": "2026-07-02T18:04:14.000Z",
  "detail": "550 5.1.1 mailbox unavailable",
  "accountId": "..."
}

Verify signatures

Always verify x-noticeapi-signature before trusting a payload. Your signing secret is shown on the Webhooks page.

verify.ts
import { createHmac, timingSafeEqual } from "node:crypto";

export function verifyNoticeSignature(rawBody: string, header: string, secret: string) {
  const expected = "sha256=" + createHmac("sha256", secret).update(rawBody).digest("hex");
  const a = Buffer.from(expected);
  const b = Buffer.from(header);
  return a.length === b.length && timingSafeEqual(a, b);
}

Delivery semantics

Events are sent with a 5-second timeout. Respond with any 2xx quickly and process async. Retries and multiple endpoints are on the roadmap — design your handler to be idempotent on messageId + type.