Request headers
Every delivery is a POST with Content-Type: application/json plus these custom headers:
X-Client-Id · string
Your webhook's public Client ID. Use it to look up the corresponding secret if you have multiple communities sharing one handler.
X-Event-Id · string (UUID)
Unique ID for this delivery. Use it for idempotent processing — retries reuse the same ID.
X-Event-Type · string
One of member.joined, member.approved, member.rejected, member.removed, member.left, or webhook.test.
X-Event-Timestamp · string (ISO 8601)
When the event actually occurred, not when delivered. Reject deliveries more than 5 minutes off your clock as a replay-protection measure.
X-Webhook-Signature · string
sha256=<hex> — HMAC-SHA256 of the raw body, keyed with your client secret.
User-Agent · string
Always Key-Community-Webhooks/1.0. Useful for allow-listing on your edge.