Webhooks. Real-time events, delivered reliably.
Per-workspace webhook endpoints receive click, conversion, and link-management events with HMAC-SHA256 signatures. Automatic retries with exponential backoff. SIEM mode streams events to your security platform.
- 10+ event types — clicks, conversions, domain changes
- HMAC-SHA256 signature on every delivery
- 72-hour exponential-backoff retry
- Delivery log with one-click replay
Event types
10+ event types out of the box
Subscribe per endpoint — receive only the events you care about. High-volume click events ship in a 5-second batched window by default; raw-click mode delivers per-click for stream processors.
- link.clicked
Every redirect click. Batched (5s window) or raw-click mode.
- link.created
A new short link was created in the workspace.
- link.updated
Link metadata, target URL, or rules changed.
- link.deleted
Link removed — update any downstream references.
- domain.verified
Custom domain passed DNS verification.
- conversion.attributed
Revenue event matched to a click via Stripe or Shopify.
- campaign.completed
Campaign reached its end date or click cap.
- member.invited
Workspace member added or SCIM-provisioned.
Plus link.expired, link.click_cap_reached, domain.ssl_issued, and more — see the full event catalog.
Delivery guarantees
Exponential backoff. 72-hour window.
A non-2xx response or a 30-second timeout triggers automatic retries: 30 s → 2 min → 10 min → 30 min → 2 h → 8 h → 24 h → 48 h. After 72 hours the delivery is permanently failed and removed from the queue — but still in the delivery log for manual replay.
- 30-second response timeoutReturn 200 immediately; process async if your handler is slow.
- 8 retry attempts over 72 hoursExponential backoff — no avalanche effect on restart.
- Auto-pause after 30 consecutive failuresWorkspace admin notified by email. Resume from dashboard.
- One-click replay from logOriginal payload, same event_id — receiver must be idempotent.
| Event | Endpoint | Status | Latency | Time | |
|---|---|---|---|---|---|
link.clicked | api.acme.com/wh | 200 | 142ms | 14:04:31 | |
link.created | api.acme.com/wh | 200 | 88ms | 14:03:19 | |
conversion.attributed | logs.acme.com | 500 | 30001ms | 14:02:01 | |
domain.verified | api.acme.com/wh | 200 | 67ms | 13:58:44 | |
link.deleted | logs.acme.com | timeout | 30000ms | 13:55:12 |
Delivery log
Full log. Filter, inspect, replay.
Every attempt is logged: event ID, event type, endpoint URL, HTTP status, response body (up to 4 KB), and latency. Retention is 30 days on Pro, 90 days on Business.
- Filter by event type, endpoint, status, and date range
- Failed entries show full request body for debugging
- Replay sends original payload — same event_id
- API: POST /v1/webhooks/deliveries/:id/replay
- SIEM mode: structured JSON with 7-day retry guarantee
What you can do
- Click, conversion, link, and domain events
- HMAC-SHA256 request signing
- Automatic retries — up to 72 hours
- SIEM mode for security event forwarding
- Per-event-type topic filtering
- Webhook delivery log with replay
What Elido webhooks deliver and how delivery works
Webhooks are only as useful as their reliability. The sections below cover delivery guarantees, signature verification, retry behavior, and SIEM mode.
Click events, conversion events, link lifecycle events, and domain events — configurable per endpoint
Each webhook endpoint can subscribe to one or more event types: click.created (every redirect click), conversion.created (conversion event received from Stripe, Shopify, or custom endpoint), link.created, link.updated, link.deleted, link.expired, link.click_cap_reached, domain.verified, domain.ssl_issued, domain.ssl_error, workspace.member.added, workspace.member.removed. High-volume click events can be noisy — by default, click.created webhooks are sent with a 5-second aggregation window (batched delivery, up to 100 events per payload). If you need per-click real-time delivery (e.g., feeding a stream processor), enable the raw-click mode on the endpoint; note that this can produce thousands of requests per minute for busy workspaces and should only be enabled for endpoints that can handle the throughput.
Every request is signed with HMAC-SHA256 — verify the X-Elido-Signature header before processing
Elido signs every webhook request body with HMAC-SHA256 using the shared secret configured on the endpoint. The signature is included in the X-Elido-Signature header as 'sha256=<hex_digest>'. To verify: compute HMAC-SHA256 over the raw request body using the shared secret, compare the result to the header value using a constant-time comparison function (to prevent timing attacks). Never process a webhook payload before verifying the signature. The secret is shown once at endpoint creation; rotate it in the dashboard with a zero-downtime overlap window (the old secret remains valid for 15 minutes after a new one is generated). Code examples for signature verification in Node.js, Python, and Go are in the webhooks guide at /docs/guides/webhooks.
Automatic retries with exponential backoff — up to 72 hours before a delivery is marked failed
If an endpoint returns a non-2xx status code or times out (30-second response timeout), Elido retries the delivery with exponential backoff: 30 seconds, 2 minutes, 10 minutes, 30 minutes, 2 hours, 8 hours, 24 hours, 48 hours. After the 72-hour window, the delivery is marked permanently failed and removed from the retry queue. Failed deliveries appear in the webhook delivery log with the final HTTP status code (or 'timeout'). You can replay any failed delivery from the dashboard or API (POST /v1/webhooks/deliveries/:id/replay) — useful for recovering a batch of events after a downstream outage. Endpoints that return 5xx for more than 30 consecutive deliveries are automatically paused and the workspace admin is notified by email. Resume the endpoint from the dashboard once the underlying issue is fixed.
SIEM mode streams workspace audit events to Splunk, Datadog, or any HTTPS log ingestion endpoint
SIEM mode is a special webhook configuration for security event forwarding. Instead of application events (clicks, conversions), SIEM mode delivers workspace audit events: SSO logins, failed logins, API key creation/rotation/deletion, SCIM provisioning events, role changes, webhook secret rotations, and admin actions (link deletion, bulk exports). Payload format is structured JSON with a standard schema (timestamp, actor, action, target, workspace_id, ip_address, user_agent) designed for ingestion into common SIEM platforms. SIEM webhooks are delivery-guaranteed with up to 7-day retry and are signed separately from application webhooks. Tested integrations: Splunk HTTP Event Collector (HEC), Datadog Logs API, Elastic Logstash HTTP input, and any generic HTTPS log endpoint. SIEM mode is a Business-only feature.
Full delivery log with request body, response code, and one-click replay for failed deliveries
Every webhook delivery attempt is logged: event ID, event type, endpoint URL, delivery timestamp, HTTP status code, response body (up to 4KB), and latency. The delivery log is queryable by event type, endpoint, date range, and status (delivered, retrying, failed). Failed deliveries include the full request body so you can inspect the event that failed without replaying. Replay: POST /v1/webhooks/deliveries/:id/replay sends the original payload (not a new event) to the endpoint — idempotency on your receiver is required. Delivery log retention is 30 days on Pro, 90 days on Business. For permanent audit of webhook events, configure a SIEM endpoint or enable scheduled export of the audit log.
Engineering teams using Elido webhooks in production
Names are placeholders — real customer case studies land here as they are published.
“We consume click.created webhooks in batched mode to populate our own analytics pipeline. The HMAC signature verification and the delivery log with replay saved us hours debugging a partial outage — we replayed the missed events batch from the dashboard without rebuilding the event from source.”
“SIEM mode streaming workspace audit events to our Splunk HEC was the enterprise feature our InfoSec team required. SSO login events and API key rotations in Splunk, with the right schema, meant we could correlate Elido access events with our SIEM alert rules within a day of setup.”
“link.expired webhooks trigger our internal workflow to update the printed materials database — when a QR code link expires, our ops team gets an automatic task to update the physical label. Zero manual monitoring of link expiry states.”
Elido webhooks vs Bitly vs Short.io
Neither Bitly nor Short.io offer outbound webhooks with HMAC signing and retry guarantees. This comparison is candid about the gap.
| Feature | Elido | Bitly | Short.io |
|---|---|---|---|
| Outbound webhooks | Yes — per-workspace endpoints, per-event-type subscription | Not available | Yes — basic webhook on click |
| HMAC-SHA256 signing | Yes — every delivery signed, code examples provided | Not applicable | Partial — signature header present, not documented |
| Automatic retries | Yes — exponential backoff, 72-hour window | Not applicable | No retries — fire and forget |
| Delivery log with replay | Yes — 30 days Pro, 90 days Business, one-click replay | Not applicable | No delivery log |
| SIEM audit event mode | Yes — Business, structured JSON for SIEM ingestion | Not available | Not available |
| Endpoint auto-pause on failure | Yes — paused after 30 consecutive failures, admin notified | Not applicable | Not available |
| Event types | Click, conversion, link lifecycle, domain, audit events | Not applicable | Click only |
Webhook questions
How do I verify the HMAC-SHA256 signature?
Read the raw request body as bytes (before any JSON parsing), compute HMAC-SHA256 over the raw bytes using your endpoint's shared secret, base16-encode (hex) the result, and compare it to the value in the X-Elido-Signature header after stripping the 'sha256=' prefix. Use a constant-time comparison function (e.g., hmac.compare_digest in Python, crypto.timingSafeEqual in Node.js) to prevent timing attacks. Never compare the signature with a standard string equality operator. Code examples for Node.js, Python, and Go are at /docs/guides/webhooks#verification.
What should my webhook receiver return?
Return HTTP 200 (or any 2xx status code) within 30 seconds. The response body is ignored — you can return an empty body or { ok: true }. If your processing takes longer than 30 seconds, return 200 immediately and process the event asynchronously (enqueue to an internal queue, return 200, process off the request path). Returning 4xx is treated the same as 5xx for retry purposes — both trigger a retry. Return 200 even if the event is not relevant to your integration (e.g., a link.created event you don't need) to avoid spurious retries.
How does idempotency work for webhook events?
Every webhook payload includes an event_id field (UUID). Use this as the idempotency key on your receiver: if you receive the same event_id twice (due to a retry after a partial failure), process it only once. Store received event IDs in a deduplication table with a TTL of at least 72 hours (the retry window). The retry payload is identical to the original — same event_id, same body — so a simple 'have I seen this event_id?' check is sufficient.
Why is my endpoint being paused automatically?
Endpoints are auto-paused after 30 consecutive delivery failures (non-2xx or timeout). This prevents Elido from hammering a broken endpoint indefinitely. Fix the underlying issue (usually: the endpoint URL changed, the server is down, or the 30-second timeout is being exceeded due to slow processing), then resume the endpoint in the dashboard. Once resumed, Elido does not automatically replay events that were skipped during the pause — replay them manually from the delivery log if you need to recover those events.
Can I receive click events in real-time for every single click?
Yes — enable raw-click mode on the endpoint. In raw-click mode, Elido delivers click.created events individually with no batching window, within 2 seconds of the click. Be aware that a busy workspace can produce thousands of events per minute in raw-click mode; ensure your receiver can handle the throughput. For most analytics use cases, the default 5-second batched aggregation (up to 100 clicks per payload) is sufficient and produces far fewer HTTP requests.
What's the payload size limit for webhook events?
Individual event payloads are under 10KB. Batched click payloads (default mode) can be up to 100 events per batch, with a total payload size cap of 100KB. If a batch would exceed 100KB, it's split into multiple deliveries automatically. Large metadata fields on clicks (e.g., long referer URLs) are truncated at 2KB per field. If your receiver enforces a strict payload size limit, configure raw-click mode (one event per delivery) instead of batched mode.
Is there a way to test webhooks locally during development?
Use a tool like ngrok, Cloudflare Tunnel, or localtunnel to expose your local server with a public HTTPS URL, then register that URL as a webhook endpoint in your test workspace. Alternatively, use the webhook test-fire button in the dashboard to send a sample payload for any event type to a registered endpoint without triggering a real event. The Elido CLI (elido webhook test --event click.created --endpoint https://...) also works for scripted local testing.
What happens to webhook events during a planned maintenance window?
Events generated during a maintenance window are queued in Redpanda and delivered after the maintenance window ends. The Elido status page (status.elido.app) announces planned maintenance windows in advance. Webhook delivery SLA excludes announced maintenance windows. For the typical 30–60 minute maintenance window, the 72-hour retry window means no events are permanently lost — they're delivered in the order they were generated once the endpoint is reachable again.
Keep reading
The synchronous API complement to async webhooks — create and query links programmatically.
Receive conversion events via webhooks from Stripe and Shopify — the inbound webhook side.
SIEM mode delivers workspace audit events — SSO logins, SCIM provisioning, role changes.
Click events in ClickHouse — the query-side alternative to receiving clicks via webhook.