Webhooks
Aoexl can forward completion events to license-scoped webhook endpoints.
Event Flow
When a signing session completes, the product can:
- upload completion artifacts
- build the completion payload
- sign the payload with HMAC when a secret exists
- retry failed deliveries with backoff
- store delivery logs
Headers
X-Aoexl-EventX-Aoexl-Event-VersionX-Aoexl-Signature
Payload Notes
The payload includes event metadata plus completion data such as:
- signed PDF URL
- certificate URL
- storage metadata
- completion timestamp
- IP address when available
Security
If a webhook secret is configured, requests include an HMAC signature:
txt
X-Aoexl-Signature: sha256=<signature>Verify the signature with the raw request body:
js
import crypto from "node:crypto";
function verifyAoexlWebhook(rawBody, signatureHeader, secret) {
const expected =
"sha256=" +
crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
return crypto.timingSafeEqual(
Buffer.from(signatureHeader),
Buffer.from(expected)
);
}Operations Support
The Developers area currently exposes:
- webhook URL/secret management
- recent delivery logs
- configuration audit trail