Webhooks Are Live
Sandboxes can now push email events to your endpoint the moment they arrive.
Sandboxes now support webhooks. When an email arrives, we POST a JSON payload to your endpoint. You set it up from the sandbox detail page: paste an HTTPS URL and save the signing secret.
The payload includes the sender, recipients, subject, and timestamps but not the full email body. If you need the content, fetch it via the API using the email ID.
{
"event": "email.received",
"data": {
"id": "ck...",
"from": "[email protected]",
"to": ["[email protected]"],
"subject": "Welcome",
"hasAttachments": false
}
}Every request is signed with HMAC-SHA256. You get a signing secret when you create the webhook, and we send the signature plus a timestamp in headers. Verification in Node:
import crypto from 'node:crypto';
function verify(req, rawBody, secret) {
const sig = req.headers['x-mailloop-signature'] ?? '';
const ts = req.headers['x-mailloop-timestamp'] ?? '';
if (!sig.startsWith('v0=')) return false;
if (Math.abs(Date.now() / 1000 - Number(ts)) > 300) return false;
const expected = crypto
.createHmac('sha256', secret)
.update(`v0:${ts}:${rawBody}`)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(sig.slice(3), 'hex'),
Buffer.from(expected, 'hex')
);
}If your endpoint is down or returns a non-2xx, we retry up to 3 times. The delivery ID stays the same across retries so you can deduplicate. If a webhook keeps failing (10 times in a row), we pause it automatically and you can resume from the dashboard.
Webhooks are on all paid plans. More details and examples in the webhook docs.