Skip to content

Webhooks

Webhooks let your team receive automatic real-time notifications on your own server when events happen in Pliic — such as a new suggestion submitted or a status change on a ticket.

Webhooks are available on the Starter plan (up to 3 endpoints) and Pro plan (unlimited). The Free plan does not include this feature. Only members with the Admin or Owner role can manage webhooks.

  1. Go to Settings → Webhooks
  2. Click Add endpoint
  3. Fill in the fields:
    • Name — an internal label for the endpoint
    • URL — a public HTTPS address that will receive the notifications
    • Events — select which events should trigger this endpoint
  4. Click Create

After creating, a signing secret (whsec_…) is shown only once. Copy and store it securely — it cannot be retrieved later.

EventDescription
suggestion.createdA new suggestion was submitted.
suggestion.status_changedA suggestion’s status was changed.
suggestion.commentedA comment was added to a suggestion.
ticket.createdA new ticket was opened.
ticket.status_changedA ticket’s status was changed.
ticket.repliedA reply was added to a ticket.

Each delivery is a POST request with Content-Type: application/json in the following format:

{
"id": "018e1234-5678-7abc-def0-123456789abc",
"event": "suggestion.created",
"created_at": "2024-01-15T14:30:00Z",
"data": { ... }
}
FieldTypeDescription
idstring (UUID)Unique identifier for this delivery.
eventstringName of the event that fired.
created_atstring (ISO 8601)Date and time of the event in UTC.
dataobjectEvent-specific payload data.

Each delivery includes the following HTTP headers:

HeaderDescription
X-Pliic-SignatureHMAC-SHA256 signature of the raw request body.
X-Pliic-EventEvent name (e.g. suggestion.created).
X-Pliic-DeliveryUnique UUID for this delivery.

Verifying the signature confirms that the request was sent by Pliic and that the payload was not tampered with in transit.

Compute HMAC-SHA256(secret, raw_body) and compare it to the X-Pliic-Signature header value using constant-time comparison.

PHP:

function verifySignature(string $secret, string $rawBody, string $signature): bool
{
$expected = hash_hmac('sha256', $rawBody, $secret);
return hash_equals($expected, $signature);
}

Node.js:

const crypto = require('crypto');
function verifySignature(secret, rawBody, signature) {
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature),
);
}

If your server returns a non-2xx status or the connection times out, Pliic will automatically retry with exponential backoff:

AttemptApproximate delay
1st (retry)5 minutes
2nd15 minutes
3rd45 minutes
4th135 minutes
5th405 minutes (~6.75 hours)

After 5 failed attempts the delivery is abandoned.

The full history of each delivery — status, response code, and number of attempts — is available on the endpoint’s detail page.

On the endpoint detail page, click Send test. Pliic will deliver a webhook.ping event so you can verify that your server is receiving requests correctly before activating real events.

  • Only public HTTPS URLs are accepted. Internal, private-network, or localhost addresses are rejected.
  • The TLS certificate of the destination server is always verified.
  • Never share the signing secret or include it in public code or logs.