Skip to main content
Use webhooks when you want Nexio to push terminal run updates to your backend instead of waiting for your next poll. Poll GET /api/v1/runs/{run_id} for canonical reconciliation.

Supported Events

Both placement and entity analysis runs fire the same events. An entity analysis completion delivers run.completed with the analysis output in data.run.output instead of ranked solutions.

Security

Every webhook delivery is cryptographically signed. You can also add an optional bearer token for simpler setups. The two mechanisms serve different purposes:
  • Signing secret (recommended): Nexio generates an HMAC-SHA256 signing secret (whsec_...) when you create an endpoint. Every delivery includes an X-Nexio-Signature header computed from the payload. Your server recomputes the signature and compares: proving the request is from Nexio, the payload was not tampered with, and the request is not a replay.
  • Auth token (optional, simpler): A static bearer token you provide when creating or updating an endpoint. Nexio includes it as Authorization: Bearer <token> on every delivery. Convenient for API gateways but does not verify payload integrity or protect against replay.
For production use, always verify the signing secret.

Verifying the signing secret

Parse the X-Nexio-Signature header to extract the timestamp (t=) and one or more signatures (v1=). Recompute the HMAC and compare using constant-time equality.
Always verify against the raw request body (the exact bytes received), not a re-serialized version of the parsed JSON. Re-serialization can change key order or whitespace, breaking the signature.

Delivery Contract

  • At least once delivery: your consumer must be idempotent
  • Ordering not guaranteed: don’t depend on event order
  • Same X-Nexio-Delivery UUID across retries for the same endpoint delivery
  • Immutable payload: the JSON snapshot is fixed at delivery creation

Retry schedule

Failed deliveries retry with exponential backoff: 1 min, 5 min, 30 min, 2 hours, 12 hours. After all retries are exhausted, the delivery is dead-lettered.

Delivery headers

Example delivery payload (placement run)

Example delivery payload (entity analysis run)

Best Practices

  • Return 2xx quickly and process downstream work asynchronously. Nexio retries on non-2xx responses with exponential backoff.
  • Deduplicate on X-Nexio-Delivery: the same delivery UUID is sent across retries.
  • Verify signatures using the code examples above.
  • Reject stale timestamps older than 5 minutes to prevent replay attacks.
  • Poll the run status endpoint as the canonical reconciliation read if you miss a delivery or receive events out of order: use GET /api/v1/runs/{run_id}.