Register a public HTTPS endpoint in Dashboard → Developer → Webhooks. s.id will POST a signed JSON payload to your URL when a subscribed event occurs. Deliveries that fail (non-2xx or timeout) are retried up to 3 times total, with delays of 0s, 5s, and 30s.
link.createdFired when a new link is createdlink.updatedFired when a link's URL or title is changedlink.archivedFired when a link is archivedlink.clickedFired on each redirect (per-click event)microsite.publishedFired when a microsite is publishedqr.scannedFired when a QR code is scannedEvery webhook POST contains a JSON body with the event name, the relevant resource, and a UTC timestamp.
{
"event": "link.created",
"link": {
"id": 123,
"short": "mylink",
"short_url": "https://s.id/mylink",
"long_url": "https://example.com/long-url",
"title": "My Link",
"created": "2026-06-22T10:00:00Z"
},
"timestamp": "2026-06-22T10:00:00Z"
}Every delivery includes an X-SID-Signature: sha256=<hex> header. Compute HMAC-SHA256 of the raw request body using your webhook secret and compare with timing-safe equality.
Node.js
const crypto = require('crypto');
function verifySignature(secret, rawBody, sigHeader) {
const expected = 'sha256=' +
crypto.createHmac('sha256', secret).update(rawBody).digest('hex');
return crypto.timingSafeEqual(
Buffer.from(sigHeader),
Buffer.from(expected),
);
}Go
func verifySignature(secret, body []byte, sig string) bool {
mac := hmac.New(sha256.New, secret)
mac.Write(body)
expected := "sha256=" + hex.EncodeToString(mac.Sum(nil))
return hmac.Equal([]byte(sig), []byte(expected))
}