Overview
The Webhook settings page is where carrier, MGA, and wholesaler administrators register HTTPS endpoints that Turris calls automatically whenever a key compliance event happens, so your own CRM, ticketing tool, or data warehouse stays in sync without polling. Each webhook listens for one event type, carries a signed payload your system can verify, and keeps a full delivery history you can audit and replay.
What is the Webhook Settings Page?
The Webhook settings page lets developers and compliance administrators wire Turris up to their internal systems so those systems react automatically the moment an agency or agent's compliance status flips, a data sync finishes, or a producer agreement is signed. It lives inside the Settings window under the Developer group, alongside API and Integrations.
Who uses it. A platform engineer, integrations developer, or technical operations lead at a carrier, MGA, or wholesaler who owns the connection between Turris and the receiving system.
What you can do here:
Register one or more HTTPS endpoints to receive event payloads from Turris.
Choose which event type each webhook listens for, so every endpoint handles a single category of change.
Capture the one-time Webhook Secret at creation and store it in your secret manager for HMAC signature verification.
Open any webhook to inspect every delivery attempt, including HTTP status codes and error messages returned by your endpoint.
Manually resend a failed event after fixing the problem on your side, without waiting for the next live event.
Remove a webhook when an integration is retired so Turris stops sending traffic to a dead URL.
Accessing the Webhook Settings Page
The Webhook page lives inside the Settings window, which you can open from anywhere in the platform.
In the left sidebar, click Settings (the gear icon near the bottom). The Settings window opens with a searchable category list on the left.
The categories are grouped under three headings: Organization, Personal, and Developer. Scroll to the Developer heading, or type
Webhookinto the Search settings box at the top of the list.Click Webhook. The page loads with a Configure your Webhooks banner and a table of any endpoints you have already registered.
What's visible on the page:
Element | Description |
Configure your Webhooks banner | Fixed banner at the top reading "Set up webhook URLs to receive notifications when certain events occur for your agencies and agents." |
Add Webhook button | Right-aligned above the table. Opens a slide-over form to register a new endpoint. Hidden for members whose role does not grant the Create permission. |
Webhooks table | One row per registered webhook. Click any row to switch the view to that webhook's delivery history. |
Empty state | "No webhooks configured yet." replaces the table when nothing has been registered. |
Non-customer state | A Become a Customer prompt replaces the page when your organization is on a non-customer plan. |
Each row in the webhooks table shows:
Column | Description |
Type | The event type the webhook listens for, shown as a badge. One of: Agency Compliance Status Changes, Agent Compliance Status Changes, Entity Compliance Data Synchronized, Producer Agreement Executed. |
Url | The HTTPS endpoint Turris posts to, shown in a chip-styled background. |
Client Secret | The last four characters of the webhook's signing secret, rendered as |
Actions | Three-dot menu containing Delete. The column is hidden for members whose role does not grant the Delete permission. |
Clicking any row replaces the table with the delivery-history view for that webhook.
Adding a Webhook
When you'd do this. You've built or updated a receiving endpoint on your side, you have the HTTPS URL ready, and you know which Turris event category your handler is designed to process.
Open the Webhook page (left sidebar → Settings → Developer → Webhook).
Click Add Webhook. The Add Webhook slide-over opens.
Fill in the form:
Field | Required | Description |
Webhook Type | Yes | Pick one of the four event types from the dropdown. It defaults to the placeholder "Select webhook type"; the form will not submit until you choose a real value. |
Webhook URL | Yes | The HTTPS endpoint Turris should POST events to. Must be a valid URL. Example: |
Click Add. The button stays disabled until both fields are valid.
A Webhook Created confirmation modal appears with the full Webhook Secret in a copyable code block, followed by security guidance ("Please store this secret in a safe place. The secret will only be shown once and cannot be retrieved later.").
Click the secret to copy it, then store it in your secret management system.
Click Ok to dismiss the modal. The new webhook appears in the table with
•••• XXXXin the Client Secret column.
Warning: The full secret is shown only once, inside the Webhook Created modal. Turris stores it encrypted and never exposes it again. If you lose it, delete the webhook and create a new one to receive a fresh secret.
Tip: Register one webhook per event type rather than one URL that handles everything. It keeps your handler code focused and makes failure patterns easier to diagnose in the delivery history.
Available Webhook Types
Pick the type that matches the event your receiving system is built to handle. Each webhook listens for exactly one type, so register a separate webhook per category when you need more than one.
Type | Sent when | Delivery behavior |
Agency Compliance Status Changes | An agency's compliance status changes for a product-and-state combination (license, appointment, or PDB-driven changes). | Debounced: Turris waits out a quiet period after the last change in a sequence, then sends one consolidated payload listing every affected agency. Only states and products whose status actually changed are included. |
Agent Compliance Status Changes | An individual agent's compliance status changes for a product-and-state combination. | Same debounced, consolidated, diff-based behavior as the agency type. |
Entity Compliance Data Synchronized | A NIPR data fetch or full refresh reaches a terminal state (success or error) for an agency or agent. | Sent immediately, with no debounce. |
Producer Agreement Executed | An invited agency finishes signing its producer agreement. | Sent immediately, with no debounce, once per signed agreement. |
Viewing Webhook Delivery History
When you'd do this. You want to audit deliveries to a specific endpoint, confirm Turris is calling it, or investigate why your receiving system did not see an expected event.
In the webhooks table, click any row. The page switches to the delivery-history view for that webhook.
The webhook URL is shown in a chip in the top-right of the page so you can confirm which endpoint you're inspecting.
The events table lists every delivery attempt for that webhook:
Column | Description |
Date | The date of the delivery attempt. |
Time | The time of day the attempt was made. |
Attempt | The attempt number. Automatic retries and manual resends each increment this counter. |
Status | A success badge when your endpoint returned a 2xx code; a failed badge when it returned an error, timed out, or could not be reached. |
Actions | Three-dot menu containing Logs and Resend. |
To return to the list of webhooks, click Back to Webhooks in the top-left (the chevron-arrow link).
Note: If the view shows "No events found for this webhook.", Turris has not yet delivered any event to that endpoint, either because no matching event has occurred or because the webhook was just created.
Resending a Webhook Event
When you'd do this. A previous delivery failed, you've fixed the bug or outage on your endpoint, and you want Turris to redeliver that specific event instead of waiting for new activity to trigger another one.
In the delivery-history view, find the failed event row.
Open the Actions menu (the three-dot icon at the end of the row).
Click Resend. The option is disabled when the event already has a success status, and hidden for members whose role does not grant the Update permission on Webhook settings.
A "Webhook resend is in progress" success notification confirms the retry was queued. A new row appears in the delivery history shortly after, with the next attempt number.
Note: Resend creates an additional delivery of the same event. Your handler should be idempotent so it can safely receive the same payload more than once.
Inspecting Logs for an Event
When you'd do this. A delivery shows the failed badge and you want to see the HTTP status code or error message your endpoint returned before deciding what to fix.
In the delivery-history view, open the Actions menu on the event row.
Click Logs. The option is disabled when no log entries exist for that event.
The Webhook Logs modal opens with one block per recorded attempt. Each block shows:
Field | Description |
Date | Date of the attempt. |
Time | Time of day of the attempt. |
Status Code | HTTP status code returned by your endpoint, for example |
Error Message | The error returned by your endpoint or by the HTTP client, when available. |
URL | The full URL the request was sent to. |
Click Close to dismiss the modal.
Deleting a Webhook
When you'd do this. You're retiring an integration, replacing the endpoint with a new URL, or rotating the signing secret (which requires recreating the webhook).
In the webhooks table, locate the row for the endpoint you want to remove.
Open the Actions menu (the three-dot icon at the end of the row).
Click Delete.
A Delete Webhook confirmation modal appears reading "Are you sure you want to delete this webhook?"
Click Delete to confirm, or Cancel to back out.
A "Webhook deleted successfully" notification confirms removal and the row disappears from the table.
Warning: Deletion cannot be undone and invalidates the signing secret. If you later recreate a webhook on the same URL, Turris generates a brand-new secret. To avoid missed events, stand up the replacement webhook first, confirm it is receiving traffic, then delete the old one.
Event Status Indicators
Color | Label | Meaning | What to do about it |
Green | success | Your endpoint returned a 2xx HTTP status within the 20-second timeout. | Nothing. The event was accepted. |
Red | failed | Your endpoint returned a non-2xx status, took longer than 20 seconds, or was unreachable. | Open Logs to read the status code and error message. Fix the issue on your endpoint, then use Resend to retry that specific event. |
Frequently Asked Questions
Who can change Webhook settings? Members whose role grants permissions on Webhook settings. Read controls whether the Webhook page and delivery history are visible at all; Create gates Add Webhook; Update gates Resend; Delete gates the row's Delete action.
Can I retrieve the Webhook Secret after closing the confirmation modal? No. Turris stores the secret encrypted and never exposes the full value through the UI again, only the last four characters in the Client Secret column. If the secret is lost, delete the webhook and create a new one to receive a fresh secret.
How do I verify a request really came from Turris? Every request carries two headers: X-Turris-Signature (a hex-encoded HMAC-SHA256 signature) and X-Turris-Timestamp (a Unix timestamp in seconds). To verify, build the signed message as {timestamp}.{raw request body}, compute an HMAC-SHA256 of it using your stored secret as the key, and compare the result to X-Turris-Signature with a timing-safe comparison. Reject any request whose signature does not match.
My signatures never match. What am I missing? The most common mistakes are two: the signing key is the secret decoded from hexadecimal, not the literal characters of the secret string; and the signed body must be the exact raw bytes Turris sent, so verify before any JSON re-serialization that could reorder keys or change whitespace.
What does the request body look like? Each delivery is a JSON object with three top-level fields: webhookType (the event type), upstreamEntityId (your organization's identifier), and payload (the event-specific data). Send a 2xx response as soon as you have accepted it.
How quickly does an event arrive at my endpoint? Entity Compliance Data Synchronized and Producer Agreement Executed events are sent immediately. The two compliance-status-change types are debounced: Turris waits out a roughly one-minute quiet window after the last status change in a sequence before sending a single consolidated payload, with a hard cap that forces delivery during long stretches of continuous activity.
What happens when my endpoint is unreachable? Turris retries failed deliveries automatically with an exponential backoff between attempts, and every attempt appears as an additional row in the delivery history. You can also click Resend on a failed row to trigger an extra retry manually once you have fixed the underlying issue.
Why is the Resend action greyed out? Resend is disabled for events that already have a success status, and hidden entirely from members whose role does not grant the Update permission on Webhook settings.
Can I edit a webhook's URL or type after creation? No. To change either field, delete the webhook and create a new one. The new webhook gets a fresh secret, so update your receiving system before removing the old webhook to avoid missing events in between.
Best Practices
Store the Webhook Secret in your secret manager the moment it is shown. Copy it from the Webhook Created modal straight into a vault before dismissing the dialog. Turris does not expose the full value again, and the only recovery is to recreate the webhook.
Always verify the signature before processing. Build the signed message as
{timestamp}.{raw body}, HMAC-SHA256 it with the hex-decoded secret, and compare againstX-Turris-Signatureusing a timing-safe comparison. Treat unsigned or mismatched requests as hostile.Check the
X-Turris-Timestampto reject stale requests. Binding the timestamp into the signed content blocks replay attacks; reject requests whose timestamp is outside a tolerance window you choose.Register one webhook per event type. Scoping each endpoint to a single category keeps handler logic focused and makes failure patterns obvious in the delivery history.
Make your handler idempotent. Turris retries on transient failures and Resend creates additional deliveries, so your endpoint must handle the same event arriving more than once without side effects.
Acknowledge fast, process asynchronously. Return 2xx as soon as you have queued the payload, then do heavy work on a background worker. Endpoints slower than 20 seconds are marked failed and retried.
Audit the delivery history regularly. Open each webhook and confirm recent events show success. Investigate clusters of failed rows before they grow into a backlog.
Rotate secrets by recreating the webhook. When you need a fresh signing key, stand up a new webhook on the same URL, switch your handler to accept both old and new secrets briefly, then delete the old webhook once you confirm no in-flight events remain.
Related Pages
API (Settings) — Generate API Clients and Restricted Access Tokens that connect Turris to your own systems.
Settings: Integrations — Connect Turris to third-party tools like HubSpot so agency, contact, and agent data stays in sync.
Settings: Business Rules — Set organization-wide defaults for coverage thresholds, onboarding automation, AML/OFAC screening, and compliance verdicts.
Settings: Products & Compliance — Define every product you distribute and the state-by-state license and appointment requirements.
Settings: Security — Enforce organization-wide multi-factor authentication on top of the email magic-link login.
Settings: Email Domain — Register your own sending domain so platform emails arrive from your brand.
Settings: Personal Notifications — Choose which compliance and lifecycle events appear in your Event Log and Activity feed.
Settings: Template Agreements — Build reusable contract templates sent for signature when you invite a new agency.
Users (Settings) — Add teammates, edit their profile and roles, and remove members who no longer need access.
Agency Onboarding: Upload Documents — Set the compliance-document checklist invited agencies must satisfy before finishing onboarding.
Agency Onboarding Settings: Product and State Selections — Toggle whether invited agencies pick their products and states during onboarding.
Agency Onboarding: Payment Details — Decide whether invited agencies must provide banking information before finishing onboarding.
Agency Onboarding: Custom Questions — Build an extra onboarding step that captures information the standard steps do not.
Agency Onboarding: Pre-Contract Review — Gate finished onboarding submissions for manual review before producer agreements are sent.
Need Help?
If you have questions about Webhook Settings or encounter any issues, contact our support team at support@turris.com.