Docs / Integrations / Webhooks

Webhooks

Get real-time notifications when sitemap events occur. Configure endpoints, verify payloads, and automate your indexing workflow.

📡 Overview

Webhooks allow Sitemap.xml to send HTTP POST requests to your server when specific events happen in your account or generated sitemaps. This enables seamless automation for indexing pipelines, monitoring systems, and third-party services.

💡
Best Practice
Always verify webhook signatures and implement idempotency checks. Our delivery system guarantees at-least-once delivery with exponential backoff retries.

📋 Supported Events

Subscribe to any combination of these events. Each payload includes a unique `event_id` for deduplication.

Event Description
sitemap.generated A new sitemap file has been successfully compiled and published.
sitemap.updated Existing sitemap modified due to content changes or schedule.
indexing.completed Search engine indexing process finished for submitted URLs.
crawl.error Encountered crawl failures, 4xx/5xx responses, or blocked resources.
quota.warning Approaching or exceeded plan limits for URLs or API calls.

⚙️ Configuration

Register your webhook endpoint below. We support HTTPS endpoints only.

New Webhook Endpoint Draft
Must be a valid HTTPS endpoint. HTTP requests will be rejected.
👁️
Used to verify webhook signatures. Keep this secure.
Enable Debug Mode Logs detailed request/response payloads to dashboard

📦 Payload Structure

All webhook deliveries include a standardized envelope with the event payload nested inside.

{
  "id": "whk_2x9k4m8p1q7r3v5z",
  "event": "sitemap.generated",
  "timestamp": "2025-01-15T08:32:14Z",
  "data": {
    "sitemap_url": "https://example.com/sitemap.xml",
    "total_urls": 1247,
    "version": "0.9",
    "submitted_to": ["google", "bing"],
    "size_bytes": 84920
  },
  "signature": "sha256=a8f3k9d2m1p7x4q6..."
}
<webhook>
  <id>whk_2x9k4m8p1q7r3v5z</id>
  <event>sitemap.generated</event>
  <timestamp>2025-01-15T08:32:14Z</timestamp>
  <data>
    <sitemap_url>https://example.com/sitemap.xml</sitemap_url>
    <total_urls>1247</total_urls>
    <version>0.9</version>
  </data>
</webhook>
curl -X POST "https://api.yoursite.com/webhooks/sitemap" \
  -H "Content-Type: application/json" \
  -H "X-Sitemap-Signature: sha256=a8f3k9d2m1p7x4q6..." \
  -H "X-Sitemap-Event: sitemap.generated" \
  -d '{"id":"whk_2x9k4m8p1q7r3v5z","event":"sitemap.generated","timestamp":"2025-01-15T08:32:14Z","data":{...}}'

🔐 Signature Verification

Validate incoming requests by verifying the HMAC-SHA256 signature. The payload body is signed using your secret key.

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = hmac.update(payload).digest('hex');
  const expected = `sha256=${digest}`;
  return crypto.timingSafeEqual(
    Buffer.from(expected), 
    Buffer.from(signature)
  );
}
⚠️
Security Notice
Always use constant-time comparison to prevent timing attacks. Never expose your signing secret in client-side code.

📊 Delivery Policy & Logs

We guarantee at-least-once delivery. Failed endpoints are retried with exponential backoff up to 72 hours.

Recent Deliveries Live
14:32:05 sitemap.generated POST → /api/webhooks/sitemap (200 OK)
12:15:44 indexing.completed POST → /api/webhooks/sitemap (200 OK)
09:48:12 crawl.error POST → /api/webhooks/monitor (502 Retry 1/5)
08:32:14 sitemap.updated POST → /api/webhooks/sitemap (Queued)