Delivery & Failures
Webhook delivery is fire-and-forget with a short timeout. Understanding the failure policy will save you from silently-disabled endpoints.
How delivery works
When an event fires, Flowsta:
- Finds every webhook subscribed to that event.
- Applies any filters (e.g.
filters.file_hashonsign.created). - Sends a single
POSTrequest:- Method:
POST - Content-Type:
application/json - Headers:
X-Flowsta-Signature,X-Flowsta-Event - Body: the signed JSON payload
- Method:
Each delivery attempt has a 10-second timeout. If your endpoint doesn't return headers within 10 seconds, Flowsta aborts the request and records it as a failure.
Retry policy
There is currently no retry. Each event is delivered once. If your endpoint is down, returns a non-2xx status, or times out, that event is lost.
We recommend:
- Making your handler fast (acknowledge and queue work).
- Treating webhooks as a nice-to-have signal rather than the source of truth.
- Reconciling state periodically against the REST API for critical data.
Automatic retry with exponential backoff is on the roadmap.
Automatic disable
To protect your endpoint and our infrastructure, Flowsta tracks a failure_count per webhook.
- Every non-2xx response, network error, or timeout increments the count.
- A successful 2xx response resets the count to 0.
- After 10 consecutive failures, the webhook's
activeflag is set tofalseand Flowsta stops sending events to it.
Re-enabling a disabled webhook
PUT to the webhook with { "active": true }:
curl -X PUT https://auth-api.flowsta.com/api/v1/webhooks/<id> \
-H "Authorization: Bearer <your-app-jwt>" \
-H "Content-Type: application/json" \
-d '{"active": true}'This resets failure_count to 0 and resumes delivery on the next matching event.
Monitoring
GET /api/v1/webhooks returns failure_count, last_triggered_at, and active for each webhook. A non-zero failure_count is a warning; active: false means you're currently receiving nothing.
{
"webhooks": [
{
"id": "wh_...",
"url": "https://yourapp.com/hooks/flowsta",
"events": ["sign.created", "sign.revoked"],
"active": true,
"failure_count": 0,
"last_triggered_at": "2026-04-13T14:22:00Z"
}
]
}Rate limits
Webhook management endpoints (POST, GET, PUT, DELETE on /api/v1/webhooks) are limited to 30 requests per minute per client.
Webhook delivery is not rate-limited on our end — if a user does ten sign.created-eligible actions in a second, we'll attempt ten deliveries. Make sure your endpoint can handle bursts.
Tier limits
Webhooks are counted per organization, across all apps you own.
| Tier | Webhooks per org |
|---|---|
| Free | 0 (not available) |
| Spark | 10 |
| Pro | 100 |
| Enterprise | Unlimited |
Attempting to exceed the limit returns 402 Payment Required.