Webhooks let your application receive real-time HTTP POST notifications when events happen in Rebill — for example when an invoice is paid, a quote is accepted, or a client is created. You register a URL, choose which events to subscribe to, and Rebill delivers a signed JSON payload to that URL.
Setting up a webhook
- 1
Go to Settings → Webhooks
Click Settings in the left sidebar, then click the Webhooks tab.
- 2
Add a webhook
Click "Add Webhook". Enter the URL that will receive events, an optional description, and select which events to subscribe to.
- 3
Copy the secret
After creating the webhook, copy the signing secret. You will need this to verify that incoming requests are genuine. The secret is only shown once — store it securely.
Available events
You can subscribe to any combination of these events:
| Event | Description |
|---|---|
invoice.created | A new invoice was created |
invoice.updated | An invoice was modified |
invoice.sent | An invoice was sent to the client |
invoice.paid | An invoice was fully paid |
invoice.payment_received | A payment was recorded (partial or full) |
invoice.cancelled | An invoice was cancelled |
invoice.deleted | An invoice was deleted |
quote.created | A new quote was created |
quote.updated | A quote was modified |
quote.sent | A quote was sent to the client |
quote.accepted | A client accepted a quote |
quote.declined | A client declined a quote |
quote.expired | A quote passed its expiry date |
quote.converted | A quote was converted to an invoice |
quote.deleted | A quote was deleted |
client.created | A new client was added |
client.updated | A client was modified |
client.deleted | A client was deleted |
payment.received | A payment was received via a payment gateway |
Payload format
Every delivery is an HTTP POST with a JSON body:
POST https://your-app.example.com/webhook Content-Type: application/json X-Rebill-Event: invoice.paid X-Rebill-Signature: sha256=abc123... X-Rebill-Delivery: dlv_01HYZ...
The body contains the full entity that triggered the event.
Verifying signatures
Every webhook delivery includes an X-Rebill-Signature header. Compute an HMAC-SHA256 of the raw request body using your webhook secret and compare it to the header value:
import crypto from "crypto";
function verify(body: string, secret: string, signature: string) {
const expected = "sha256=" +
crypto.createHmac("sha256", secret)
.update(body)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}Always use a timing-safe comparison to prevent timing attacks.
Retries and auto-disable
If your endpoint returns a non-2xx status code, Rebill retries the delivery. After 20 consecutive failures, the webhook is automatically paused to prevent further load on your server.
Paused webhooks show a warning in Settings → Webhooks. Click "Resume" to re-enable delivery. A ping event is sent immediately to verify your endpoint is back online.
Testing webhooks
Click "Test" next to any webhook in Settings to send a ping event. Use a tool like webhook.site or ngrok during development to inspect payloads.Note
Each account can register up to 5 webhooks. Webhooks are available on all plans.