RReTestimonial
Sign inStart free
PREMIUM+OUTBOUND WEBHOOKS · 07DISPATCH ONLINEQUEUE 0·4 ATTEMPTS MAX·● 99.98% 28D

Signed,
sealed,
delivered.

When a testimonial is created, approved, or updated, we courier the event to your endpoint — HMAC-SHA256 signed, durably queued, retried with exponential backoff until you say received.

SigningHMAC-SHA256
DeliveryAt-least-once
Retries4 attempts · 60s → 1h
Timeout10s per request
SIGNED
HMAC
SHA-256
REGISTERED DISPATCH
RT-9V·442·81X·KQ
WEBHOOK · v1
FROM
ReTestimonial · Workspace
ws_acme_2vQ · prod
TO
api.acme.com
POST /hooks/retestimonial
EVENTtestimonial.approved
DELIVERYevt_8421f9·att1
STATUS200 OK
TIMESTAMP1714398012
SIGNATUREv1=a4f3…29c1
LATENCY84 ms
PAYLOAD · application/json
1 {
2 "id": "evt_8421f9",
3 "type": "testimonial.approved",
4 "created": 1714398012,
5 "data": {
6 "id": "t_2qkX9b",
7 "author": "Jess Raman",
8 "company": "Plotline",
9 "rating": 5
10 }
11 }
X-Signature: t=1714398012,v1=a4f3b9··2…··29c1
VERIFIED
01Events catalogue

Six events. One predictable shape.

Subscribe to the lifecycle moments that matter. Every event ships with a stable JSON envelope versioned 2026-02-01, a content snapshot, and a normalized source category.

testimonial.created

A new testimonial — text, video, or audio — landed via form, manual entry, import, review-platform sync, or extension. Source category included.

testimonial.approved

A testimonial transitioned to APPROVED. Fires from the dashboard, bulk actions, or auto-approval on insert.

testimonial.updated

Non-status edits to copy, ratings, custom fields, tags, or attribution. Status transitions fire their own typed events.

testimonial.archived

Archived or rejected via the dashboard or bulk action. Fires once, replaces a generic update event.

testimonial.spam

Marked as spam by moderation, bulk action, or detection. Use it to sync downstream lists or alert humans.

testimonial.deleted

Hard-deleted with a typed reason — manual_delete, bulk_delete, source_bulk_delete, import_rollback, spam_cleanup.

More events on request — we ship new ones backwards-compatibly.
02Trust the courier

HMAC-SHA256. No exceptions.

Every payload ships with an X-RT-Signature header. Verify it in three lines, reject anything that doesn’t match. Replay attacks die at your edge.

Per-endpoint secrets
Rotate without redeploying. Keep two live during cutover.
5-minute timestamp window
Replays outside the window fail signature checks by design.
Deterministic body hash
Same payload → same signature. Idempotent retries are safe.
Constant-time compare
We document the check so timing attacks can’t fingerprint your handler.
verify.ts · Node 20READY TO PASTE
import crypto from "node:crypto";

// verify the X-Signature header
export function verify(req, secret) {
  const sig = req.headers["x-signature"];
  const [t, v1] = sig.split(",").map(p => p.split("=")[1]);
  const age = Date.now()/1000 - Number(t);
  if (age > 300) return false; // 5-min window

  const expected = crypto
    .createHmac("sha256", secret)
    .update(`${t}.${req.rawBody}`)
    .digest("hex");

  return crypto.timingSafeEqual(
    Buffer.from(v1), Buffer.from(expected)
  );
}
· examples · python · go · ruby · php · in docs verified
03Retry timeline

Your endpoint hiccups. We keep dispatching.

Four attempts over an hour, exponential backoff, durable outbox. If you 5xx, we come back. If you 4xx, we stop and tell you. Either way, no event is silently dropped.

EVT_8421F9 · TESTIMONIAL.APPROVED
DELIVERED · 4 ATTEMPTS · 1h 01m
0s
200 OK
first attempt
60s
503
your server returned 503
10m
timeout
exceeded 10s deadline
1h
200 OK
recovered
Schedule
60s · 10m · 1h · max 4 attempts
On 5xx / timeout
Retry until success or exhaustion
On 4xx
Mark failed, no further retries
After exhaustion
Sits in DLQ · replayable any time
04Delivery dashboard

Every dispatch, logged.

Watch the live feed, replay any failed delivery with one click, inspect the exact payload and headers we sent.

99.98%
28-day uptime
84ms
Median latency
0
Events lost (ever)
Replay
Any event, any time
LIVE FEED · /webhooks/deliverieslast 15 min · 247 events
EVENT IDTYPEATTSTATLATATDEST
evt_8421f9testimonial.approved120084ms12:42:08api.acme.com
evt_8420c3testimonial.created1200112ms12:41:55api.acme.com
evt_841ee2testimonial.updated320094ms12:38:11hooks.zapier.com
evt_841db8testimonial.flagged1200201ms12:36:02api.acme.com
evt_841ca5form.submission850312:30:18old.partner.io
evt_841b91testimonial.approved120078ms12:28:44api.acme.com
evt_841a42testimonial.created2200133ms12:24:17hooks.zapier.com
● 246 ok● 1 failed replay failed
05Payload anatomy

A predictable envelope. Always.

The same eight top-level keys for every event, every endpoint, every project. Build your handler once and trust the shape forever.

FIELDTYPEDESCRIPTION
idstringStable delivery ID. Surfaces in the dashboard. Use as your idempotency key.
eventstringDot-namespaced event name. Routes cleanly through your handler.
eventVersionstringPinned envelope version (currently 2026-02-01). Lets you upgrade safely.
timestampiso-8601Server-side timestamp at the moment the event was emitted.
mutationGroupIdstringGroups events from the same mutation — e.g. created + approved on the same insert.
sourceRawstringThe raw origin tag — form id, importer name, review platform slug, etc.
sourceCategoryenumNormalized: form, manual, import, review_platform, social_media, extension, system…
dataobjectThe full testimonial record — author, content, rating, custom fields, attribution.
06Where they ship to

Anywhere that speaks HTTPS.

Your API
Direct POST to a handler you own. The fastest, cleanest, most reliable path.
Zapier / Make
Connect any of 6,000+ apps with no code. Use the generic webhook trigger.
n8n / Pipedream
Self-hosted or hosted automation runners. Native verification helpers.
Slack / Discord
Post into a channel via incoming webhook. Templating in the docs.
Segment / Rudderstack
Forward events into your CDP and on to dozens of downstream tools.
Anywhere HTTPS
If it speaks HTTPS and POST, we'll deliver to it. That's the whole story.
07Controls

Everything an integrator actually needs.

Per-endpoint event filters
Subscribe one endpoint to .approved, another to .spam, a third to everything. No noise.
Secret rotation
Regenerate a signing secret in one click. Pending and processing rows cancel safely on rotation.
SSRF-safe URLs
Endpoint URLs run through a validator that blocks private ranges, redirects, and metadata IPs.
Pause and resume
Pause an endpoint and the backlog queues; resume drains oldest-first. No events lost.
Inspect any payload
Click any delivery in the developer tab to see exact body, headers, response, latency, and signature.
DLQ replay
Replay a single failed delivery, or bulk-replay by event type and date range. Up to 1000 at a time.
08Specs

Built for engineers who’ve read the postmortem.

Durable outbox, idempotent IDs, signed payloads, replayable history. The features you wish every webhook product shipped with.

PlanPremium 1 endpoint · Business 5 endpoints
SigningHMAC-SHA256, X-Signature: t=…,v1=…
Delivery semanticAt-least-once · Idempotency-Key per attempt
Retry schedule60s · 10m · 1h · max 4 attempts
Timeout10s per attempt
TLSHTTPS required · redirects blocked
Auto-disable15 consecutive failures · owner email
Audit logSucceeded 30d · Failed/Canceled 90d
ComplianceSOC 2 Type II · GDPR DPA available
Premium+ · ready to wire

Wire it up before lunch.

Generate a secret, paste it into your handler, paste your endpoint URL into ReTestimonial. Done. The first event will land before your coffee gets cold.