Verify signatures
Language-specific HMAC recipes, multi-secret verification, timing attacks. Read the concept →
Guides
Subscribe to Webhooks
Webhooks are how Kirim pushes things at you in real time — inbound WhatsApp messages, delivery status callbacks, conversation assignments, contact changes. By the end of this guide you will have a working endpoint that subscribes to the events you care about, verifies their signatures, and deduplicates retries.
Prerequisites
Section titled “Prerequisites”-
A Kirim API key (
kdv_live_...). -
A publicly reachable HTTPS endpoint for Kirim to POST to. Plain HTTP is rejected at subscription time. For local development, expose your dev server via
ngrok,cloudflared tunnel, or similar:Terminal window # Pick one:ngrok http 3000cloudflared tunnel --url http://localhost:3000Then use the generated
https://*.ngrok-free.appURL. -
An endpoint that:
- Accepts
POST application/json. - Responds within 10 seconds (per-attempt timeout).
- Returns any
2xxfor success. Anything else (3xx, 4xx except408/429, or 5xx) marks the delivery as failed and triggers a retry.
- Accepts
-
Pick your events.
Subscribe only to what you actually handle — every extra event is a request you have to ack. The most common starter set:
Event Use case message.receivedInbound WhatsApp messages from customers. message.statusOutbound delivery callbacks ( sent→delivered→read) and failures.conversation.assignedSync conversation ownership into your CRM / inbox. conversation.closedTrigger post-resolution flows (NPS, CSAT, ticket close). contact.createdNew WhatsApp contact appeared — sync to CRM. contact.updatedExisting contact’s name, email, or metadata changed. Browse the full list in the Event Catalog.
-
Create the subscription.
Webhook subscriptions are organization-level — one subscription receives events across all your connected phone numbers. There is no
phone_number_idin the path.Terminal window curl -sS https://api.kirim.chat/v1/webhook_subscriptions \-H "Authorization: Bearer $KIRIM_KEY" \-H "Content-Type: application/json" \-d '{"url": "https://your-app.example.com/webhooks/kirim","events": ["message.received","message.status","conversation.assigned","conversation.closed","contact.created","contact.updated"],"description": "Production handler"}'import { Kirim } from '@kirimdev/sdk'const kirim = new Kirim({ apiKey: process.env.KIRIM_KEY! })const sub = await kirim.webhookSubscriptions.create({url: 'https://your-app.example.com/webhooks/kirim',events: ['message.received','message.status','conversation.assigned','conversation.closed','contact.created','contact.updated',],description: 'Production handler',})console.log(sub.id, sub.initial_secret)import os, httpxr = httpx.post("https://api.kirim.chat/v1/webhook_subscriptions",headers={"Authorization": f"Bearer {os.environ['KIRIM_KEY']}"},json={"url": "https://your-app.example.com/webhooks/kirim","events": ["message.received","message.status","conversation.assigned","conversation.closed","contact.created","contact.updated",],"description": "Production handler",},)r.raise_for_status()print(r.json()["data"]["id"], r.json()["data"]["initial_secret"])Response:
{"data": {"id": "wbs_01HXYZABCDEFGHJKMNPQRSTVWX","object": "webhook_subscription","url": "https://your-app.example.com/webhooks/kirim","status": "active","events": ["message.received", "message.status", "..."],"secrets": [{"id": "sec_01HXYZABCDEFGHJKMNPQRSTVWX","created_at": "2026-05-23T10:00:00Z","expires_at": null}],"initial_secret": "whsec_…"},"request_id": "req_…"} -
Store the
initial_secretimmediately.Kirim returns
initial_secretonce, on creation, and never again. Drop it straight into your secrets manager (AWS Secrets Manager, Doppler, 1Password,.env.localfor dev — wherever your app reads runtime config from). -
Verify the signature on every request.
Kirim signs every webhook delivery with HMAC-SHA256 over the raw request body. Reject any request where the signature doesn’t match — that’s how you know it actually came from Kirim and not a spoofer who guessed your URL.
// Express example — note the raw body middleware.import crypto from 'node:crypto'import express from 'express'const app = express()const secret = process.env.KIRIM_WEBHOOK_SECRET!function verify(rawBody: string, signature: string): boolean {const expected = crypto.createHmac('sha256', secret).update(rawBody).digest('hex')return crypto.timingSafeEqual(Buffer.from(expected, 'hex'),Buffer.from(signature, 'hex'),)}app.post('/webhooks/kirim',express.raw({ type: 'application/json' }),(req, res) => {const sig = req.header('x-kirim-signature') ?? ''if (!verify(req.body.toString('utf8'), sig)) {return res.status(401).send('invalid signature')}// ... proceed to step 5 ...},)The TypeScript SDK ships a helper:
import { verifyWebhookSignature } from '@kirimdev/sdk/webhooks'const ok = verifyWebhookSignature({payload: rawBody,signature: req.headers['x-kirim-signature'] as string,secret: process.env.KIRIM_WEBHOOK_SECRET!,})For full recipes (Python, Go, Ruby, multiple active secrets, timestamp validation), see Verifying Signatures.
-
Deduplicate on
X-Kirim-Event-Id.Kirim delivers at-least-once. The same event may arrive twice if your handler processed it but the response didn’t reach Kirim before the 10-second timeout. Use the header as your dedup key:
const eventId = req.header('x-kirim-event-id')!const fresh = await redis.set(`webhook:event:${eventId}`,'1','EX', 604800, // 7 days — covers Kirim's full retry budget'NX',)if (!fresh) {return res.status(200).send('duplicate-ack')}If your stack doesn’t have Redis handy, a unique index on an
events_seen(event_id)table works equally well. -
Handle the event.
Every Kirim webhook payload includes a
typefield. Branch on it:app.post('/webhooks/kirim',express.raw({ type: 'application/json' }),async (req, res) => {// signature verification + dedup, as above ...const event = JSON.parse(req.body.toString('utf8'))switch (event.type) {case 'message.received':await onInboundMessage(event.data)breakcase 'message.status':await onStatusUpdate(event.data)breakcase 'conversation.assigned':await onConversationAssigned(event.data)breakcase 'conversation.closed':await onConversationClosed(event.data)breakcase 'contact.created':case 'contact.updated':await syncContactToCrm(event.data)breakdefault:console.warn('Unhandled event type:', event.type)}res.status(200).send('ok')},)For event payload shapes, see the Event Catalog and Payload Examples.
-
Test the round-trip locally.
With ngrok / cloudflared running, send a test message to your connected WhatsApp number from your phone. You should see your endpoint receive a
message.receivedevent within a second or two.No event? Check the Developers → Webhook Deliveries page in the Kirim dashboard, or list recent deliveries via the API:
Terminal window curl -sS "https://api.kirim.chat/v1/webhook_deliveries?subscription_id=wbs_…&limit=10" \-H "Authorization: Bearer $KIRIM_KEY"The
response_status_codeandresponse_bodyon each delivery tell you exactly how your endpoint replied.
Common pitfalls
Section titled “Common pitfalls”Rotating secrets
Section titled “Rotating secrets”A leaked secret should be rotatable in minutes without downtime:
-
Create a new secret.
POST /v1/webhook_subscriptions/{id}/secretsreturns a fresh plaintext. Kirim now signs every delivery with both secrets (legacy and new) for the overlap window. -
Add the new secret to your verifier. Update your secrets manager, redeploy. Your verifier now accepts either signature.
-
Confirm new signatures verify. Watch a few deliveries through the dashboard.
-
Delete the old secret.
DELETE /v1/webhook_subscriptions/{id}/secrets/{old_id}. Kirim stops signing with it on the next event.
What’s next
Section titled “What’s next”Event catalog
Every event type, when it fires, and its payload shape. Read the reference →
Payload examples
Copy-pasteable fixtures for every event — useful for tests. Read the reference →
Retries & auto-disable
Backoff schedule, dead-letter queue, replay APIs. Read the concept →