Outbound webhooks

Pro plans push HMAC-signed events to your endpoint on every state change that matters — IPC certify, PO issue, GRN receive, milestone close, NCR raise/close, approval escalations.

Signature

Header: X-Aayu-Signature: sha256=<hex>. The signature is HMAC-SHA256 over the raw request body using your subscription's secret. Verify before parsing the body.

Retries

Failed deliveries (non-2xx response, timeout, connection error) retry at 0s + 5s + 30s. Per-subscription state lives on the OrgWebhook row — admins can see the last delivery status, error message, and consecutive failure count.

Replay protection

Header: X-Aayu-Delivery-Id: <uuid>. The same id never repeats; track recently-seen ids on your side to make your handler idempotent.

Test endpoint

The management page (Settings → Webhooks) has a “send test event” button that fires a synthetic ping event so you can verify your signature path before going live.