Outbound Webhooks

How it works#

After every successful segment recompute, SegOps POSTs a signed JSON payload to each active webhook URL registered for the tenant. Delivery is fire-and-forget; no retry on failure.

Configuration#

Webhooks are managed at Settings → Webhooks. You can also use the API — see activations API reference.

Fields#

Payload#

{
  "event": "segment.recomputed",
  "tenant_slug": "acme",
  "segment_id": 42,
  "segment_name": "High LTV Buyers",
  "member_count": 1842,
  "computed_at": "2026-05-02T14:32:00Z"
}

computed_at is ISO 8601 UTC. member_count reflects the materialized count at delivery time.

Signature verification#

When a secret is configured, the X-SegOps-Signature header contains sha256=<hex> — a HMAC-SHA256 of the raw request body.

import { createHmac, timingSafeEqual } from 'crypto';

function verify(secret: string, body: Buffer, header: string): boolean {
  const expected = 'sha256=' + createHmac('sha256', secret).update(body).digest('hex');
  return timingSafeEqual(Buffer.from(expected), Buffer.from(header));
}

import hashlib, hmac

def verify(secret: str, body: bytes, header: str) -> bool:
    expected = 'sha256=' + hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, header)

Always use constant-time comparison (timingSafeEqual / hmac.compare_digest) to prevent timing attacks.

Delivery semantics#

• Fire-and-forget — SegOps makes one attempt per recompute; no retry on non-2xx responses.
• Timeout — 10 seconds per request; return 2xx quickly and process asynchronously.
• Order — all active webhooks for a tenant fire in parallel after the recompute task finishes.
• Deduplication — one delivery per recompute. If the same segment recomputes twice in quick succession, two separate payloads fire.

Related#

• Activation Connectors — push membership directly to Klaviyo, Braze, TalonOne
• Segment Compute — trigger recompute manually