Audience: Backend, Security, Frontend
βOutcomes: Durable reconciliation; real-time UX.
Stripe webhook (raw body + signature)
POST /api/webhooks/stripe # verify Stripe-Signature; dedupe by event.id
Bank webhook (HMAC)
POST /api/webhooks/bank # verify X-Hmac-Signature (constant-time compare)
SSE stream
GET /api/events/stream # text/event-stream (withCredentials)
Event names (selection)
order.created,order.status.changeddeliverable.uploaded,deliverable.accepted,deliverable.rejectedpayment.succeeded,payment.failedescrow.releaseddispute.opened,dispute.evidence.added,dispute.resolvedcontract.fully_signed
Client
const es = new EventSource(`${API}/api/events/stream`, { withCredentials: true }); ['order.status.changed','payment.succeeded','dispute.opened'].forEach(n => es.addEventListener(n, e => console.log(n, JSON.parse(e.data))));