Timeout
Each webhook delivery attempt has a 3-second timeout. If your server does not respond within 3 seconds, the attempt is marked as failed and may be retried.Retry Strategy
Failed deliveries are retried using an exponential backoff strategy. The delay between attempts increases exponentially:Configurable Retries
When creating a webhook, you choose the maximum number of tries (1 to 5):The
tries setting includes the initial attempt. Setting tries to 3 means 1 initial attempt and 2 retries for a total of 3 delivery attempts.Success Criteria
A delivery is considered successful when your server responds with any2xx HTTP status code (200, 201, 202, etc.).
A delivery is considered failed when:
- Your server responds with a non-2xx status code (4xx, 5xx)
- The connection times out (exceeds 3 seconds)
- The connection is refused or DNS resolution fails
Delivery Logging
Every webhook delivery attempt is logged with the following information:Webhook payloads are encrypted at rest in the database for security. The
X-RMZ-REQUEST-ID header value corresponds to the log entry ID.Automatic Disabling of Failing Webhooks
RMZ periodically evaluates webhook delivery history and automatically disables webhooks that are consistently failing. The default criteria are:
A delivery is counted as failed if
is_error is true or the response status code is outside the 2xx range.
When a webhook is disabled, the store owner can re-enable it from the dashboard after fixing the endpoint issue.
SSL Verification
By default, RMZ verifies the SSL certificate of your webhook endpoint. Self-signed certificates or invalid certificates will cause delivery to fail.Idempotency
Webhooks may be delivered more than once due to retries or network issues. Design your webhook handler to be idempotent — processing the same event twice should produce the same result. Use theX-RMZ-REQUEST-ID header to detect duplicate deliveries:
Best Practices
-
Respond quickly. Return
200immediately and process asynchronously. Do not perform slow operations (API calls, database writes, email sending) before responding. -
Handle retries. Use the
X-RMZ-REQUEST-IDheader for deduplication. Store processed IDs to avoid duplicate processing. - Use HTTPS. Protect sensitive customer and order data in transit.
- Verify signatures. When signing is enabled, always verify the signature before processing the payload.
- Set appropriate retry counts. Use higher retry counts (3-5) for critical integrations and lower counts (1-2) for non-critical notifications.
- Monitor delivery status. Check the webhook logs in your dashboard to identify persistent failures. Fix endpoint issues promptly to avoid missing events.
-
Handle all status codes. If your server returns a non-2xx status intentionally (e.g.,
422for an invalid payload), be aware that RMZ will retry the delivery.

