Automation

Webhooks

Webhooks tell your server when something happens in your Bynli space — a new member joins, a form is submitted, a resource is approved — without you having to poll for it.

The gist

You tell Bynli what URL to call and which events you care about.
When an event happens, Bynli sends an HTTP POST to that URL with a JSON payload.
You respond with 200 to say "got it."
If your server has trouble, Bynli will retry for a while before giving up.

Open Webhooks in your dashboard, click Add subscription, paste your delivery URL, and pick the events you want. You'll be given a signing secret — copy it now, it's only shown once.

Keep your signing secret private. Anyone with it can forge delivery payloads.

Delivery payload

POSTyour server

POST /your/webhook/url HTTP/1.1
Content-Type: application/json
X-Bynli-Event: resource.approved
X-Bynli-Signature: sha256=…
X-Bynli-Timestamp: 2026-04-21T19:45:03Z
X-Bynli-Delivery: 7b6c1d…

{
  "event": "resource.approved",
  "delivery_id": "7b6c1d…",
  "occurred_at": "2026-04-21T19:45:02Z",
  "data": {
    "id": 312,
    "name": "Neighborhood Free Fridge",
    "category": "food"
  }
}

Available events

Event	When it fires
`member.joined`	A new person joins your organization.
`form.submitted`	A public form is submitted.
`resource.approved`	A submitted resource is approved into a directory.
`resource.rejected`	A submitted resource is rejected.
`payment.received`	A payment is recorded against a member.

Verifying a delivery

Every delivery is signed with your signing secret so you can confirm it came from Bynli and wasn't modified in transit. The signature is in the X-Bynli-Signature header as sha256=<hex> where <hex> is the HMAC-SHA256 of the raw request body, keyed with your signing secret.

Node.jscrypto

const crypto = require('crypto');

function verify(rawBody, headerSig, secret) {
  const expected = 'sha256=' +
    crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
  // constant-time compare to avoid timing attacks
  const a = Buffer.from(headerSig);
  const b = Buffer.from(expected);
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

Also check X-Bynli-Timestamp against your server's clock and reject deliveries that are suspiciously old — this prevents an attacker from replaying a captured payload later.

Responding

Return any 2xx status quickly (ideally under a few seconds).
Do slow work in the background — accept the delivery first, then process.
Return a 4xx or 5xx if you can't handle it.

Retries and back-off

When your server returns a non-2xx or times out, Bynli retries the delivery with increasing delays between attempts. After repeated failures, the delivery is marked as failed and — if failures continue — the subscription may be paused until you confirm the URL is healthy from your dashboard.

Idempotency. Because retries exist, the same delivery can arrive more than once. Use X-Bynli-Delivery (a unique ID per delivery attempt chain) to de-duplicate on your side.

Managing subscriptions

You can pause, resume, rotate the signing secret, and delete subscriptions from Webhooks in your dashboard. Rotating the signing secret invalidates the previous one immediately.