Configuration
Meridian configures webhook endpoints during provisioning.
Security
Webhook requests use the same HMAC SHA-256 scheme as the REST API, but with a dedicated Webhook API Key and Secret issued separately from your REST API credentials. Each request includes the following headers:| Header | Description |
|---|---|
X-Meridian-Api-Key | Issued by Meridian, specifically for Webhooks |
X-Meridian-Timestamp | Current time in milliseconds (within 60 seconds of the request) |
X-Meridian-Signature | HMAC SHA-256 signature |
Delivery and retries
Meridian considers a webhook delivered when your endpoint returns an HTTP2xx response within 30 seconds. If the request times out or returns a non-2xx status, Meridian retries using exponential backoff — up to 6 attempts over 24 hours.
Because retries can result in duplicate deliveries, your webhook handler should be idempotent — processing the same event more than once should produce the same outcome.