Skip to main content
Webhooks let Riverside push events to your systems in real time. Instead of polling the API, you register an HTTPS endpoint (a subscription) and Riverside sends a signed POST request to it whenever a subscribed event occurs — for example when a webinar starts or a registrant signs up.

How it works

  1. Subscribe — create a subscription with your endpoint URL and the event types you want. Riverside returns a signing secret (shown only once).
  2. Receive — when a subscribed event happens, Riverside POSTs a JSON event envelope to your URL, signed with your secret.
  3. Verify — validate the signature and timestamp headers before trusting the payload. See Verifying Signatures.
  4. Acknowledge — respond with any 2xx status promptly. Non-2xx responses, timeouts, and network errors are retried.

The event envelope

Every delivery — regardless of event type — shares the same outer JSON shape. The event-specific fields live inside data.
{
  "id": "evt_9f8c2a1b7d3e4f56",
  "event": "webinar.started",
  "event_ts": 1752595283,
  "account_id": "acc_1a2b3c4d",
  "data": { },
  "delivery_attempt": 1
}
FieldTypeDescription
idstringUnique identifier for this event. Deduplicate on this value — the same event may be delivered more than once.
eventstringThe wire event type, e.g. webinar.started. See Event Types.
event_tsintegerUnix timestamp (seconds) of when the event occurred — not when it was delivered.
account_idstringThe Riverside account the event belongs to.
dataobjectThe event-specific public payload. Its shape depends on event — see Event Types.
delivery_attemptinteger1 on the first attempt; increments on each retry.

Delivery guarantees

  • At-least-once. A successful delivery is any 2xx response. On failure Riverside retries on a backoff schedule; a single event can therefore be delivered more than once. Always dedupe on id.
  • Not ordered. Events are not guaranteed to arrive in the order they occurred. Use event_ts if ordering matters to you.
  • HTTPS only. Endpoints must be publicly reachable over HTTPS. Redirects are not followed — a 3xx response is treated as a failed attempt.
  • Signed. Every request carries an HMAC signature and timestamp so you can verify authenticity and guard against replay.

Next steps

Event Types

The catalog of events you can subscribe to and their payloads.

Verifying Signatures

Authenticate incoming deliveries.

Delivery & Retries

Retry schedule, auto-disable, and replay.