Overview
Toku sends an HTTPSPOST request to your registered endpoint whenever a subscribed event occurs. Your endpoint must respond with a 2xx status within 10 seconds to be considered a successful delivery.
Webhooks are scoped to your integration. Each endpoint you register receives only the event types you explicitly subscribe to.
Endpoint Management
Register an endpoint withPOST /createWebhookEndpoint. Supply a valid https:// URL and the array of event types you want to receive.
signingSecret. Save it immediately — it is shown only once.
Use GET /listWebhookEndpoints to view all registered endpoints, and DELETE /deleteWebhookEndpoint to remove one by id.
Signature Verification
Every webhook delivery includes anx-tga-signature header containing an HMAC-SHA256 hex digest of the raw request body, signed with your endpoint’s signingSecret.
Always verify the signature before processing the payload.
Delivery Guarantees & Idempotency
Webhooks are delivered at least once. The same event may be delivered more than once in rare cases (e.g., network failure after a successful delivery). Design your handler to be idempotent. Each event payload includes a uniqueeventId. Use it as an idempotency key to deduplicate processing:
Retry Logic
If your endpoint returns a non-2xx status or times out, Toku retries the delivery up to 3 times with exponential backoff:
Each attempt has a 10-second timeout. After 3 failed retries the delivery is marked
failed and no further attempts are made.
Delivery Log
UseGET /listWebhookDeliveries with an endpointId to inspect delivery history for a specific endpoint — including status, response code, and timestamps for each attempt. This is the primary tool for debugging missed or failed deliveries.
Event Type Reference
Events marked TGA are emitted only for Token Grant Administration workflows. Events marked Payroll / EOR are emitted for payroll runs and employer-of-record workflows.
