Event notifications
Signed metadata-only events for Team workflows.
Payload boundary
Event notifications contain lifecycle metadata only. They must not include plaintext, passphrases, URL fragments, full private links, complete ciphertext bodies, recovery codes, or API keys.
- secret.viewed
- secret.expired
- request.submitted
- request.revealed
- link.burned
Signature verification
Verify the Shhhs signature before accepting an event. Treat failed verification as an authentication failure and do not retry with logged payloads.
X-Shhhs-Signature: t=timestamp,v1=hmac