Documentation

Webhook Events

Configure signed RestoreCord webhook event delivery for external systems, including headers, payload shape, events, and delivery behavior.

Copy page

Overview

Webhook events send RestoreCord activity to your own HTTPS endpoint. Use them for audit trails, moderation pipelines, CRM updates, internal dashboards, or automation that needs to react when RestoreCord records change.

Enterprise webhook events are different from Discord webhook logs. Discord webhook logs post messages into a Discord channel; webhook events are signed HTTP requests to infrastructure you control.

Configure Delivery

1

Create an HTTPS receiver

Your endpoint must accept JSON POST requests and return a 2xx response after processing or safely queueing the event.

2

Set the webhook URL

Configure the server webhook URL in RestoreCord server settings or through the server API.

HTTP
PATCH /api/v3/servers/{serverId}
Content-Type: application/json

{
  "webhookUrl": "https://example.com/restorecord/events"
}
3

Verify before acting

Use the webhook secret to verify the signature header before trusting the payload.

Do not point webhook events at a public testing bin or shared endpoint with production data unless you are comfortable with the payload leaving your systems.

Headers

Header
Content-Type
Value
application/json
Header
X-Webhook-Event
Value
Event name, such as member.verified.
Header
X-Signature-256
Value
HMAC-SHA256 signature for the raw request body.

Signature Verification

Verify signatures against the raw request body. If the signature includes a sha256= prefix, strip it before comparing.

TS
import crypto from "crypto";

function verifyRestoreCordSignature(rawBody: Buffer | string, signatureHeader: string, secret: string) {
  const expected = crypto.createHmac("sha256", secret).update(rawBody).digest("hex");
  const actual = signatureHeader.replace(/^sha256=/, "");

  const expectedBuffer = Buffer.from(expected, "hex");
  const actualBuffer = Buffer.from(actual, "hex");

  return expectedBuffer.length === actualBuffer.length && crypto.timingSafeEqual(expectedBuffer, actualBuffer);
}

Verify the exact raw body bytes received by your framework. Re-stringifying parsed JSON can change whitespace or field order and break signature checks.

Payload Shape

Every event includes the event name, creation time, server context when available, and event-specific data.

Example request JSON
{
  "event": "member.verified",
  "timestamp": "2026-06-07T12:00:00.000Z",
  "server": {
    "id": 123,
    "name": "My Server",
    "guildId": "123456789012345678"
  },
  "data": {
    "userId": "234567890123456789",
    "username": "member",
    "countryCode": "US",
    "isNewMember": true
  }
}
Field
event
Description
RestoreCord event name.
Field
timestamp
Description
ISO timestamp generated by RestoreCord.
Field
server
Description
RestoreCord server ID plus Discord guild context when the event is server-scoped.
Field
data
Description
Event-specific payload. Treat unknown fields as additive changes.

Events

Use the event name to route payloads in your receiver. Current documented event families include member verification, firewall activity, and snapshots.

Event
member.verified
When it fires
A member successfully verifies through RestoreCord.
Important data
userId, username, avatar, countryCode, isNewMember
Event
member.denied
When it fires
A member is denied during verification.
Important data
userId, username, reason, details
Event
firewall.block
When it fires
Firewall denies a verification request.
Important data
userId, username, ip, countryCode, action, reason
Event
firewall.allow
When it fires
Firewall explicitly allows a request through a rule or bypass.
Important data
userId, username, ip, countryCode, action, reason
Event
firewall.password
When it fires
A user submits a firewall password.
Important data
action, success, reason
Event
snapshot.create
When it fires
Snapshot creation is initiated.
Important data
snapshotId, snapshotName
Event
snapshot.restore
When it fires
Snapshot restore is initiated.
Important data
snapshotId, snapshotName, targetGuildId, restoreMessageCount, clearServer

Reason Values

Member denial reasons can include firewall, blacklist, vpn, wireless, alt, guild, or account_age.

Sensitive fields such as IP address depend on server settings and plan access. Build receivers so nullable fields are accepted.

Delivery Behavior

  • RestoreCord sends webhook events over HTTPS as JSON POST requests.
  • Your receiver should return quickly; queue slow work in your own system.
  • Delivery is best-effort and fire-and-forget; failed deliveries are not retried by the current dispatcher.
  • Webhook delivery does not block the original RestoreCord operation.
  • Handlers should be idempotent so duplicate deliveries do not create duplicate side effects.

Treat 2xx responses as accepted. Non-2xx receiver responses are not retried by RestoreCord, so queue and monitor failures on your side.

Next Steps

API Webhooks

Review webhook endpoints and API reference details.