Skip to content

Verification

Validate Kirisan webhook POSTs with headers, signing secrets, and fast 2xx responses.

2 min read

Kirisan does not sign webhook bodies with HMAC. Verify deliveries using optional Signing secret headers, event headers, and your own HTTPS endpoint controls.

Signing secret

When you create or edit a webhook on Webhooks → Webhook, you can set Signing secret (optional, up to 512 characters).

On every POST Kirisan includes:

X-Webhook-Secret: the-secret-you-configured

If the header is missing or does not match your stored secret, return 401 or 403 from your handler.

When no secret is configured, Kirisan omits X-Webhook-Secret. Rely on HTTPS and a non-guessable URL path if you skip a secret.

Routing headers

Use these headers before parsing the JSON body:

HeaderValue
X-Kirisan-Eventincoming_message, submission, or message_status
X-Kirisan-DeviceDevice token or identifier for the linked line or bot

The JSON body repeats event and device, but headers let you route cheaply at the edge.

User-Agent

TrafficUser-Agent
Live deliveryKirisan-Webhook/1.0
Webhooks → TestKirisan-Webhook-Test/1.0

Respond with 2xx quickly

Kirisan treats 200 or 201 as success. Any other HTTP status, connection error, or timeout is failed on Webhooks → Logs.

Best practice:

  1. Validate X-Webhook-Secret (if used).
  2. Parse JSON and enqueue work on your side.
  3. Return 200 or 201 immediately.
  4. Process the message asynchronously.

Kirisan does not retry failed deliveries.

Production vs test payloads

FieldTest (Webhooks → Test)Live traffic
productionfalsetrue

Optional: ignore or short-circuit handlers when "production": false so test traffic does not touch production CRM records.

HTTPS URL

Saved webhook URLs must be valid http:// or https:// addresses. Use HTTPS in production.

Kirisan must reach your URL from the public internet — localhost and private networks will fail unless you tunnel (for example ngrok) during development.

Activate before live traffic

New endpoints stay Pending test until Webhooks → Test returns 2xx. Only Active endpoints receive live events (except Telegram Incoming Message auto-activation described in Overview).

Editing an endpoint resets it to Pending test until you test again.

Last updated: July 2, 2026
Was this page helpful?