Inbox Ledger
Troubleshooting

Webhook not delivering

Fix dead webhook deliveries, signature verification failures, and endpoints rejected as not public.

Webhook not delivering

Your endpoint is not receiving the JSON it should, or the delivery log on the Webhooks page shows failures. Work through the causes below in order.

Deliveries fail, retry, then go dead

Symptom. The delivery log shows repeated failed attempts for a webhook, and after several tries the delivery is marked dead.

Cause. Inbox Ledger waits up to 10 seconds for a 2xx response. Any other status, a timeout, or a connection error counts as a failed attempt. After 5 failed attempts the delivery is marked dead and is not retried again. The endpoint was down, slow, or returning a non-2xx status during the retry window.

Fix. Confirm the endpoint is up and returns a 2xx status within 10 seconds. Return 2xx as soon as you have stored the payload, then run any slow work in the background. Once the endpoint is healthy, re-enable the webhook from its toggle, or recreate it if it was deleted. New events queue fresh deliveries; a dead delivery is not replayed automatically.

Confirm. Trigger a new event, such as processing one document, and watch a fresh delivery reach succeeded in the log.

Signature verification fails

Symptom. Deliveries arrive and return 401 from your endpoint, or your code rejects every request as having an invalid signature.

Cause. The signature is an HMAC-SHA256 digest of the raw request body. Verifying against a parsed-then-reserialized object changes key order and spacing, so the recomputed digest never matches. A wrong or stale signing secret produces the same failure.

Fix. Verify against the exact raw bytes of the request body, before any JSON parser touches it. Recompute sha256= plus the HMAC-SHA256 hex digest, keyed by the secret from the webhook's row, and compare it to X-Signature-256 with a constant-time check. See Securing and verifying webhooks for a working Node snippet.

In Express, parse the webhook route with express.raw({ type: 'application/json' }) so you hold the raw body. A global express.json() middleware consumes the body first and breaks verification.

Confirm. A test delivery passes your check and your endpoint returns 2xx.

Endpoint rejected as not public

Symptom. Saving the webhook fails with a message that the URL must be a public HTTPS endpoint.

Cause. Inbox Ledger runs an SSRF guard that refuses private, internal, and metadata addresses, such as http://, localhost, 10.x, 192.168.x, and 169.254.x.

Fix. Use a reachable public HTTPS URL. For local development, expose your machine through a tunnel that gives you a public HTTPS address, then paste that URL.

Confirm. The webhook saves, and the signing secret is shown once for you to copy.

Still stuck

Email support@inboxledger.app with your organization name, the webhook URL, and a delivery ID from the log.

Securing and verifying webhooks

HMAC verification and the retry rules.

Webhooks

Register an endpoint and subscribe to events.

Events and payloads

The seven events and their JSON shapes.

Ready to try this?

Inbox Ledger turns your inbox into clean accounting data. The free tier includes 10 credits, refilled every 30 days.

Start free

Fix wrong extraction

Correct misread fields and stop the same mistake from recurring.

Export failed

Fix a stalled cloud-storage export or a rejected accounting push from expired access, no retry, or missing mapping.

On this page

Webhook not deliveringDeliveries fail, retry, then go deadSignature verification failsEndpoint rejected as not publicStill stuckRelated