Signature Verification
Every PRESS delivery is signed with HMAC-SHA256. You must verify this on every incoming request.How the Signature is Computed
X-Webhook-Signature header.
Verification Steps
Read the raw body
Read the request body exactly as received. Do not parse or re-serialise before verification — transforming the body will produce a signature mismatch.
Check replay window
Reject the request if the timestamp is more than 5 minutes from your current time. This prevents replay attacks.
Compute the signature
Concatenate
timestamp + "." + raw_body and compute HMAC-SHA256 using your signing key.Compare using constant-time comparison
Compare the computed signature against the
X-Webhook-Signature header. Use a constant-time comparison function — do not use == as it is vulnerable to timing attacks.Code Examples
Response Codes
Your endpoint must respond with an appropriate HTTP status code within 500 milliseconds.| Your Response | Meaning | What PRESS Does |
|---|---|---|
200 / 2xx | Event accepted | Done. No retry. |
401 / 403 | Bad signature or unauthorised | Permanent failure. Not retried. |
400 | Bad request | Permanent failure. Not retried. |
3xx (redirects) | Redirect | Treated as failure. Redirects are not followed. |
5xx | Server error | Temporary failure. Retried. |
| Timeout (>500ms) | No response | Temporary failure. Retried. |
Retry Schedule
PRESS retries failed deliveries (5xx or timeout) with exponential backoff:
| Attempt | Delay After Previous Failure | Cumulative Elapsed |
|---|---|---|
| 1 | Immediate | 0 |
| 2 | 1 minute | ~1 minute |
| 3 | 5 minutes | ~6 minutes |
| 4 | 15 minutes | ~21 minutes |
| 5 | 1 hour | ~1 hour 21 minutes |
| 6 | 6 hours | ~7 hours 21 minutes |
Idempotency
PRESS uses at-least-once delivery. The same event may arrive more than once (due to retries or network issues). TheX-Webhook-Id header (and the id field in the payload) is your idempotency key. It is stable across retries.
X-Webhook-Delivery-Attempt tells you the attempt number. 1 = first delivery, 2+ = retry.
Recommended Handler Pattern
Event Ordering
PRESS does not guarantee global ordering of events. If ordering matters for your use case:- Compare
event_tsvalues before applying state changes - Design idempotent handlers that tolerate out-of-order delivery
- Use
uaekyc_idas the entity key with last-writer-wins logic
