Thrive can notify your systems in real-time when key events occur on the platform. When a matching event fires, Thrive sends an HTTP POST request containing a JSON payload to the URL you have configured for that subscription type.
Implementation will handle the configuration setup alongside you.
Subscription Types
Webhooks are grouped into five subscription types. Each subscription type has its own URL configuration and delivers a distinct set of events.
| Subscription | Events Delivered |
|---|---|
completion_subscription |
content.completed, content.passed |
content_subscription |
content.*, page.*, post.*, comment.*, moderation.* |
assignment_subscription |
assignment.*, enrolment.* |
notification_subscription |
notification.dispatched |
user_subscription |
user.activated, user.deactivated, user.updated |
Common Payload Fields
Every event payload includes the following top-level fields regardless of event type.
| Field | Type | Description |
|---|---|---|
eventType |
string | Identifies the specific event, e.g. content.completed |
tenantId |
string | Your Thrive tenant identifier |
createdAt |
string | ISO 8601 timestamp of when the event occurred on the platform |
dispatchedAt |
string | ISO 8601 timestamp of when this webhook request was dispatched |
HTTP Request Details
Every webhook request is sent as:
- Method:
POST - Content-Type:
application/json - Body: JSON-encoded event payload
Your endpoint must respond with a 2xx status code within 30 seconds. If the request times out or returns a non-2xx response, Thrive will retry delivery.
Verifying the HMAC Signature
If a secret was configured for your webhook, each request will include an x-hmac-signature header:
x-hmac-signature: sha256=<hex-digest>
To verify the request came from Thrive:
- Read the raw request body as a string - do not re-parse and re-serialize the JSON, as this can alter key ordering and invalidate the signature.
- Compute HMAC-SHA256 of the raw body string using your configured secret.
- Compare your computed hex digest against the value after
sha256=in the header.
Example (Node.js):
const crypto = require('crypto');
function verifySignature(rawBody, secret, signatureHeader) {
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');
return `sha256=${expected}` === signatureHeader;
}
Delivery Guarantees
| Behaviour | Detail |
|---|---|
| At-least-once delivery | Your endpoint may receive the same event more than once. Design your integration to handle duplicate events idempotently. |
| Retries | Failed deliveries (timeout or non-2xx response) are retried automatically. |
| Config propagation | Changes to your webhook URL may take up to 15 minutes to take effect. |
| HTTPS only | Webhook URLs must use HTTPS. |