Webhook Events Reference
Complete reference of all webhook event types, payload formats, and signature verification for Taifa Mail.
Base URL: https://govconnect.ke/v1
When an email event occurs, Taifa Mail sends a POST request to each webhook endpoint you have registered for that event type. This page documents the webhook management API, every event type, its payload, and how to verify authenticity.
All management endpoints require authentication via API Key or JWT cookie. API keys use the tfm_k_ prefix.
Manage webhooks
List webhooks
Returns your active webhook endpoints as a JSON array.
Response:
Create a webhook
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
url | string | Yes | The HTTPS endpoint to deliver events to. |
events | string[] | Yes | Event types to subscribe to (see Event types). |
The signing secret is generated by the server and returned in the
response. There is no secret field in the request body.
Returns 201 Created with the webhook object, including its secret.
Update a webhook
Request body (all fields optional):
| Field | Type | Description |
|---|---|---|
url | string | New delivery endpoint. |
events | string[] | New event subscription list. |
is_active | boolean | Set false to pause delivery, true to resume. |
Delete a webhook
Returns 204 No Content.
Send a test event
Queues a sample email.delivered event to the endpoint so you can verify
your integration. The test delivery is logged like any other.
List delivery attempts
Query parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
page | integer | 0 | Page number (zero-indexed). |
limit | integer | 20 | Results per page (1-100). |
status | string | -- | Filter by delivery status. |
Response:
Get a delivery attempt
Returns the full delivery record, including the request payload,
response_body, and endpoint_url. The flat /v1/webhook-deliveries/{delivery_id}
form looks the delivery up by ID alone.
Common payload fields
Every webhook payload includes these fields:
| Field | Type | Description |
|---|---|---|
event | string | The event type (e.g. email.delivered). |
email_id | string | The ID of the email that triggered the event. |
recipient | string | The recipient email address. |
timestamp | string (ISO 8601) | When the event occurred. |
metadata | object | Additional context (tags, domain, subject). |
Event types
email.sent
The email has been handed off to the recipient's mail server.
email.delivered
The recipient's mail server confirmed delivery.
email.opened
The recipient opened the email (tracking pixel loaded).
email.clicked
The recipient clicked a tracked link.
email.bounced
The email was permanently rejected by the recipient's mail server.
email.failed
Delivery failed due to an internal error or configuration issue.
email.complained
The recipient marked the email as spam (received via feedback loop).
email.unsubscribed
The recipient clicked the List-Unsubscribe link or used one-click unsubscribe.
Retry schedule
If your endpoint returns a non-2xx response or times out (10-second limit), Taifa Mail retries with exponential backoff:
| Attempt | Delay after failure |
|---|---|
| 1 | 1 minute |
| 2 | 5 minutes |
| 3 | 30 minutes |
| 4 | 2 hours |
| 5 | 6 hours |
| 6 | 24 hours |
| 7 | 48 hours |
| 8 | 72 hours |
After 8 failed attempts, the delivery is moved to the dead letter queue. You can view and manually replay failed deliveries from the dashboard under Settings -> Webhooks -> select webhook -> Failed Deliveries.
Signature verification
Every webhook request includes an X-Webhook-Signature header containing an HMAC-SHA256 hex digest of the raw request body, signed with your webhook's signing secret.
Always verify this signature before processing the payload.
Python
Node.js
Go
Always use constant-time comparison (hmac.compare_digest in Python, crypto.timingSafeEqual in Node.js, hmac.Equal in Go) to prevent timing attacks.
Your webhook signing secret is shown when you create the webhook. You can also find it under Settings -> Webhooks -> click the webhook -> Signing Secret.