Secure Signed Webhook (SS Webhook) Streaming Export Integration enables real-time data delivery to external webhook endpoints with cryptographic signature verification as part of Treasure Data's activation workflows.
With this integration, you can securely send customer data to your webhook endpoints in real-time, with signatures to verify the authenticity and integrity of each request.
- Basic knowledge of Treasure Data
- Basic knowledge of webhook architecture and HTTP/HTTPS protocols
- Understanding of HMAC-SHA256 signature verification
- A publicly accessible HTTPS endpoint that can receive HTTP requests (Supported HTTP Methods: GET, POST, PUT, DELETE, and PATCH)
- Ability to implement signature verification logic on your webhook receiver
The primary use case for this streaming integration is to incorporate it into a real-time activation workflow to:
- Send customer profile data to external systems in real-time
- Trigger downstream processes based on customer behavior
- Synchronize customer data with third-party applications
- Enable real-time personalization in external platforms
Here is an overview of how to configure that workflow to trigger a delivery:
- Set up your webhook endpoint to receive HTTP requests with JSON payloads (POST is the default method, but other HTTP methods can be configured).
- Implement signature verification logic using HMAC-SHA256 on your webhook receiver.
- Create an authentication for this integration with your webhook URL and signing secret.
- In a Real-time Journey, select this authentication for a new triggered activation.
- The webhook endpoint must be accessible via HTTPS (TLS 1.2 or higher recommended).
- The endpoint must respond within 30 seconds to avoid timeout errors.
- Maximum payload size is 1MB per request.
- Rate limits depend on your infrastructure capacity.
- The signature is calculated using HMAC-SHA256 and sent in the
X-TD-Signatureheader. - Your webhook must return HTTP status codes 200-299 for successful processing.
You must create and configure the data connection in Treasure Data. As part of the data connection, you provide authentication credentials to access the integration.
Perform the following steps to create a new authentication with a set of credentials.
- Select Integrations Hub.
- Select Catalog.
- Search for your Integration in the Catalog; hover your mouse over the icon and select Create Authentication.
- Ensure that the Credentials tab is selected and then enter credential information for the integration.
| Parameter | Description |
|---|---|
| URL Prefix | The base URL prefix of the webhook HTTPS endpoint that will receive the webhook requests. All triggered activations using this authentication must use URLs that start with this prefix. |
| Auth Type | Select the authorization type to secure your webhook endpoint. Supported types: Basic Auth, Bearer Token, API Key, Treasure API Key, Custom Auth, or No Auth. |
Authentication Type Details:
Basic Auth: HTTP Basic Authentication using username and password
- User Name: The username for authentication
- Password: The password for authentication
Bearer Token: OAuth 2.0 Bearer Token authentication
- Bearer Token: The authentication token value
API Key: Custom API key authentication
- API Key Name: The name of the API key header or parameter
- API Key: The API key value
Treasure API Key: Treasure API key authentication
- Uses your Treasure API key for authentication
Custom Auth: Custom authentication headers
- Configure custom authentication headers as needed
No Auth: No authentication required
- Use only for testing or publicly accessible endpoints
- Select Continue.
- Enter a name for your connection.
- Select Done.
After configuring the SS Webhook Streaming integration, it is now available to be incorporated into real-time customer journey activations. See Creating a Real-time Triggered Activation.
To create or update a triggered activation:
Select the triggered activation you want to configure
.In the triggered activation window, select an activation from the Copy triggered activation from drop-down menu.
Enter a Triggered activation name.
Enter an Optional description of the activation.
From the Authentication drop-down menu, select the authentication the activation should use.
Depending on the type of authentication you choose, the details you will need to provide will vary. Refer to the integration-specific table below for more information.
- Verify or provide the information required for the fields on the Details page.
- After the Details are configured, select Create or Update.
| Parameter | Values | Description |
|---|---|---|
| HTTP Method | optional, default POST | The HTTP method to use for the request. Supported methods: GET, POST, PUT, DELETE, PATCH |
| URL | required | The complete webhook API endpoint URL. Must start with the URL Prefix configured in the authentication |
| Custom Headers | optional - JSON Object | Additional HTTP headers to include in the request. You can add multiple headers with a maximum of 32 headers. The maximum size for each header key and value is 256 bytes each. Example: {"Content-Type": "application/json", "X-Custom-Header": "value"} |
| Request Body | required - JSON Object | The JSON payload structure to send to the webhook endpoint. |
| Retry Limit | optional, default 3 | Maximum number of retry attempts before giving up on failed requests |
| Connection Timeout (Seconds) | optional, default 30 | Maximum time in seconds to wait for establishing a connection to the webhook endpoint |
| Read Timeout (Seconds) | optional, default 30 | Maximum time in seconds to wait for reading the response from the webhook endpoint |
| Write Timeout (Seconds) | optional, default 30 | Maximum time in seconds to wait for sending the request payload to the webhook endpoint |
The SS Webhook integration supports dynamic runtime expressions and cryptographic functions that can be used in custom headers and request body.
Use these expressions to dynamically insert values at request time:
| Expression | Description | Example Output |
|---|---|---|
${unix_timestamp} | Current Unix timestamp in seconds | 1709568000 |
${http_method} | The HTTP method being used | POST |
${relative_path} | The relative path of the URL (path after the domain) | /api/webhook/events |
Example usage in Custom Headers:
{
"X-Timestamp": "${unix_timestamp}",
"X-Method": "${http_method}"
}Use these cryptographic functions to generate secure signatures for request authentication:
| Function | Description | Output Format |
|---|---|---|
${hmac_sha256_hex(secret, string)} | Generates HMAC-SHA256 signature and returns as hexadecimal string | a1b2c3d4e5... |
${hmac_sha256_base64(secret, string)} | Generates HMAC-SHA256 signature and returns as Base64-encoded string | YTFiMmMzZD... |
Example usage for signature generation:
{
"X-Signature": "${hmac_sha256_hex(my_secret_key, ${unix_timestamp}.${request_body})}",
"X-Timestamp": "${unix_timestamp}"
}This allows you to implement custom signature verification on your webhook endpoint similar to the Secure Signed Webhook pattern.
- The connector will retry to send the request when it gets the status code 429, 500, 502, 503, or 504.
- If the request is sent successfully before the Retry Limit is reached, the logging will show successfully.
- If the request still fails after reaching the Retry Limit, the connector will stop the job.
- We will see the error message and the status code in the client's activation table whenever the request sent fails.
- The Retry Limit can be configured in the Activation Config.
- Idempotency: Design your webhook receiver to handle duplicate requests safely, as retries may occur.
- Timeout Handling: Ensure your webhook endpoint responds within 30 seconds. For long-running processes, acknowledge receipt immediately and process asynchronously.
- Security: Always verify the signature before processing the payload to prevent unauthorized requests.
- Monitoring: Implement logging and monitoring on your webhook endpoint to track successful deliveries and failures.
- Error Handling: Return appropriate HTTP status codes (200-299 for success, 4xx for client errors, 5xx for server errors).