Security

SendPromptly follows practical security measures to protect webhook delivery, environment tokens, and stored secrets.

Key protections

Webhook signing: HMAC-SHA256 (X-SP-Signature: v1=<hex>), computed over {timestamp}.{body}. Verifiers should check the X-SP-Timestamp within a 5-minute window and use constant-time signature comparison.
Secrets stored encrypted: webhook secrets are encrypted in the database (Laravel Crypt) and shown in plaintext only at creation time.
Environment tokens: tokens are hashed (SHA-256) in the database; provide them via Authorization: Bearer <ENV_TOKEN>.
TLS-only endpoints: webhook endpoints must use HTTPS; the portal rejects non-TLS endpoints and performs DNS/IP checks to mitigate SSRF risks.

Always verify X-SP-Signature and X-SP-Timestamp.
Rotate signing secrets periodically and use short TTLs for tokens where possible.
Keep webhook endpoints behind firewalls or IP allowlists if possible.
Use X-SP-Message-Id for deduplication and tracing on your side.

Delivery attempts, rotations, and secret operations are tracked in audit logs visible to admins.
For compliance packages (SOC/ISO), contact sales for additional documentation.