Skip to main content
By the end of this guide your endpoint accepts webhook POSTs from gavAI, rejects any request not cryptographically signed by your workspace, refuses replays older than five minutes, deduplicates retries on the event id, and answers inside the 10-second timeout. Plan on about 20 minutes if you already have a server with a route you can attach.

Prerequisites

Steps

Troubleshooting

What you built

You registered a webhook and stored the signing secret, read and validated the three delivery headers, implemented HMAC-SHA256 verification with constant-time comparison, added replay protection via the timestamp window, deduplicated retries on the body id, and structured the handler to respond inside the 10-second timeout. Your endpoint is now safe to receive and process gavAI events.

Next steps