Penbox has an event-driven architecture and and can perform webhooks call for most of those events.

Any webhooks configured upon request creation will be triggered whenever the specified event related to that request occurs within Penbox.


In order to authenticate that your publicly exposed endpoint is indeed being called by a Penbox webhook, the HTTP call needs to be authenticated. We do that by signing all our HTTP calls, and you can easily verify this signature. You can read all the details about it in the dedicated page.


The payload will contain:

  • The list of events that triggered the Webhook. Typically, this list will always contain one of responses:created , responses:updated , responses:deleted along with potentially other, more refined, events:
    • responses:completed when the response is ready to be processed
  • The reference (type and id) of the entity that triggered the event
  • For convenience; the full payload of the request related to the event
Digest: SHA-512=azertyuiop
x-pnbx-signature: <signature_jwt>
  "events": [ "responses:updated", "responses:completed" ],
  "data": {
    "type": "responses",
    "id": "<uuid>" // id of the response that was completed
  "request": {
    // Exactly the same payload as GET /requests/id