Webhooks

• message.received — A new inbound email arrived
• message.sent — An outbound email was accepted by SES
• message.delivered — An outbound email was delivered to the recipient
• message.bounced — An outbound email permanently bounced
• message.complaint — A recipient marked the email as spam

Webhook payloads are POST requests to your endpoint URL (must be HTTPS). Each delivery includes a JSON body with the event type, timestamp, and relevant data.

If your endpoint returns a non-2xx status, Robotomail retries with exponential backoff: 1 minute, 5 minutes, 30 minutes, 2 hours, 12 hours. After 10 consecutive failures, the webhook is automatically paused with status FAILED.

Every webhook delivery includes an X-Robotomail-Signature header containing an HMAC-SHA256 signature of the request body. Verify it against the webhook secret returned when you created the webhook.

See the Webhooks API reference for verification code examples. The secret is only returned once at creation time.

Webhooks can be account-level (triggered for events on any mailbox) or mailbox-scoped (triggered only for events on a specific mailbox). Scoped API keys can only create mailbox-scoped webhooks for mailboxes in their scope.