Outbound webhooks

Configure HTTPS endpoints under /dashboard/reseller/webhooks and we'll POST customer-lifecycle events to them. Useful for piping into your CRM, billing system, or notification rail.

Events

• CUSTOMER_SIGNED_UP — new user signed up under your scope

• ORDER_PAID — a paid order finalized (includes wholesale + margin breakdown)

• SERVER_PROVISIONED — a server transitioned to ACTIVE

• SERVER_SUSPENDED — server moved to SUSPENDED (dunning, manual, or terminate cascade)

• SERVER_TERMINATED — server moved to TERMINATED

• TRIAL_ISSUED — you issued a trial server

• TICKET_OPENED — a customer opened a support ticket under your queue

Subscribe to all events (leave the checklist empty when adding the endpoint) or a subset.

Signing + verification

Every POST carries three headers:

• X-Vicifast-Event — the event type

• X-Vicifast-Signature — HMAC-SHA256 hex of the body, using the secret we revealed when you created the endpoint

• X-Vicifast-Delivery — a unique id; use it for idempotency on your side

Verify in Node:

const sig = crypto.createHmac('sha256', SECRET).update(body).digest('hex');
if (sig !== req.headers['x-vicifast-signature']) return res.status(401).end();

Retries

If your endpoint doesn't return 2xx within 10 seconds we retry with exponential backoff: 1m, 5m, 30m, 2h, 12h, 24h, 48h, 72h. After 8 failed attempts the delivery is marked EXHAUSTED and dropped. Brief outages won't drop events; sustained ones will.

Lost the signing secret?

Delete the endpoint and add it again. We can't reveal the original secret after creation — it's sealed at rest.

Testing

The dashboard has a "Test" button on each endpoint that queues a synthetic CUSTOMER_SIGNED_UP event with test: true in the payload. Use it to verify your signature check end-to-end before going live.