Webhooks#

Webhooks allow Novaza products to push real-time event notifications to external systems or to the Novaza Middleware. Today, Novaza supports inbound webhooks (receiving events into the Novaza Middleware from connected products) and product-scoped outbound event forwarding. A single unified outbound webhook bus with Novaza-branded headers is planned and not yet available.

Inbound Webhooks (available today)#

The Novaza Middleware exposes dedicated webhook endpoints that accept events from specific Novaza products. These are intended for internal platform integration and are authenticated per source.

Desk conversations#

An inbound webhook endpoint accepts conversation, message, and contact events from Novaza Desk and routes them to the relevant tenant workspace. Authentication uses a shared HMAC secret signed against the raw request body.

The exact endpoint path and secret configuration are documented in the Enterprise Implementation Guide, available to Enterprise customers and implementation partners. Contact your account manager for access.

Imaging store events#

An inbound webhook endpoint accepts StableStudy and StablePatient notifications from the Novaza imaging store and forwards them to the tenant’s clinical record. Authentication uses an HMAC secret.

Configuration details for the imaging store webhook are covered in the Medical Imaging Integration Reference (Enterprise).

All inbound endpoints reject requests whose HMAC signature does not match the configured secret.

Outbound Webhooks (per-product)#

Each Novaza product exposes its own outbound webhook system with its own payload schema, signing header and retry policy. Configure these from the respective product’s Settings → Webhooks area:

  • Novaza Office — record created/updated/deleted events per module
  • Novaza Desk — conversation, message and ticket lifecycle events
  • Novaza Pulse — campaign and subscriber events

Because these systems are product-scoped, header names, signature algorithms and retry schedules differ between products. Consult the configuration screen in each product for the exact format it emits.

Verifying Signatures#

All supported webhook mechanisms sign the raw request body with an HMAC using a secret that is generated when the webhook is registered. The general pattern:

import hmac, hashlib

def is_valid_signature(payload_body: bytes, secret: str, signature_header: str) -> bool:
    expected = hmac.new(secret.encode(), payload_body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature_header)

Always compute the HMAC over the exact raw bytes of the request body, and reject any request whose signature does not match.

Planned: Unified Outbound Webhooks#

A single platform-wide outbound webhook bus — with a consistent event envelope, unified headers, centralised delivery log and exponential backoff retries — is on the Novaza roadmap. Until it ships, plan your integrations against the per-product mechanisms described above.

Backward Pulse API Changelog Forward

© 2026 Novaza. All rights reserved.