Configure a destination
In Destinations, add an HTTPS webhook URL and store the signing secret once. An owner or admin can pause, test, update, or remove the destination.Verify the signature
Lucim signs a timestamped raw request body with HMAC-SHA256. Verify the exact raw bytes before parsing JSON and enforce an acceptable timestamp tolerance. Relevant headers include:Handle retries
1
Verify
Reject an invalid signature without processing the event.
2
Deduplicate
Store
X-Lucim-Idempotency-Key before applying side effects. Return success for a key already processed.3
Process
Persist the signal payload and every
evidence_id needed by your workflow.4
Respond
Return a 2xx response only after durable acceptance. Retryable transport failures, 408, 429, and 5xx responses back off until the attempt limit.
dead_letter and appears in Health.