Skip to main content
Most issues fall into a handful of buckets. Find yours below; each links to the page with the full story.

Verification

No provider secret is registered for the endpoint, so nothing is checked. Register the provider’s signing secret — see verify inbound signatures — and new events arrive with a real verification state.
A signature was checked and rejected. Usual causes: the wrong secret (a test secret against live traffic, or a stale one after a rotation), or a proxy in front of your ingest that altered the body. Confirm the secret matches the one the provider signs with, and that nothing between the provider and wbhk.my rewrites the payload. A failed event is captured but never delivered or signed.
Almost always one of two things: you’re verifying over a re-serialized body instead of the raw bytes, or you’re using == instead of a constant-time compare. Verify over the exact bytes you received and compare with crypto.timingSafeEqual / hmac.compare_digest. The full snippet is on sign outbound webhooks.
These sign the request URL along with the body, so the URL configured at the provider must be your ingest URL exactly — a trailing slash or an extra query parameter changes the signed string. Match it character-for-character.

Delivery

The destination resolved to a private or internal address and the SSRF guard refused it. blocked is terminal — it’s never retried. Point the destination at a publicly reachable HTTPS URL.
failed is a retryable error (a non-2xx, a timeout); dead means the retry schedule exhausted all 8 attempts over ~32h. Read the error on the delivery with wbhk deliveries get <id>, fix the receiver, then replay the missed events.
After 20 consecutive dead deliveries a destination auto-disables and the org owner is emailed. Re-enable it with wbhk replay-destinations enable <id> once the receiver is fixed — owed deliveries resume on the next drain.
triggers.wait is a short-poll, not a push — it returns immediately with whatever’s past your cursor. Keep calling it, threading nextCursor; while caughtUp is false, call again promptly. See trigger semantics.

Ingestion

The endpoint is paused. A paused endpoint answers writes with a retryable 429 so a well-behaved sender holds the event and redelivers rather than dropping it — resume the endpoint and the redelivery lands. See ingest URLs.
Handshakes are answered automatically, but some need a secret registered first — a Meta verify_token, a Braintree public key. Register the secret the provider guide calls for, then retry the provider’s verification.
The endpoint predates sealed-token storage, or its seal degraded. Rotate the endpoint and the fresh URL is revealable from then on.

Auth

The key is valid but missing the scope the action needs. Mint a key with the right scope rather than over-provisioning an existing one — whoami shows a key’s scopes.
The bearer token is missing, malformed, expired, or revoked. Check the Authorization: Bearer header; if it leaked, revoke and replace it.

Still stuck?

Every error response carries a requestId in the x-request-id header — include it when you reach out, and see errors and status codes for the full taxonomy.