Kembali ke docs

Webhook

Cloudin POST event ke URL kamu setiap email masuk (atau event lain yang kamu subscribe).

Setup

  1. Buka Layanan → Webhook → Tambah webhook
  2. Input URL endpoint kamu
  3. Pilih event types
  4. Secret muncul sekali — catat untuk verify HMAC

Event types

  • message.received — email baru masuk
  • message.deleted — email dihapus
  • address.created — address baru di-generate
  • address.expired — address kedaluwarsa
  • domain.verified — DNS verify OK
  • domain.lost — DNS verify gagal 3x
  • service.suspended / service.reactivated — billing state

Payload format

{
  "id": "evt_01HXY...",
  "type": "message.received",
  "created_at": "2026-05-28T07:00:00Z",
  "data": {
    "message": {
      "id": "msg_01HXY...",
      "address": "abc@inbox.brandkamu.id",
      "from": "sender@example.com",
      "subject": "Verifikasi Email",
      "preview": "Klik link...",
      "otp_code": "891-203"
    }
  }
}

Verify signature (HMAC SHA256)

Setiap delivery dikirim dengan header:

  • X-Cloudin-Timestamp — Unix timestamp
  • X-Cloudin-Signaturesha256=
Verifikasi di server kamu:

const crypto = require('crypto');

function verifyWebhook(rawBody, timestamp, signature, secret) {
  // Reject kalau >5 menit (anti-replay)
  if (Math.abs(Date.now()/1000 - parseInt(timestamp)) > 300) return false;


  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(${timestamp}.${rawBody})
    .digest('hex');


  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Retry policy

Webhook delivery retry exponential backoff:

AttemptDelay
1instant
21 menit
35 menit
430 menit
56 jam
5x failwebhook disabled, kamu dapat notif
Timeout per delivery: 10 detik. Status sukses: HTTP 2xx-3xx (kecuali 307/308).