Documentation

Webhooks

Register an endpoint under Webhooks to get a signed POST whenever a matching event fires (register, login, license, check, file, var, blocked). Each delivery includes an X-LumenAuth-Signature header — an HMAC-SHA256 of the raw body using your webhook secret.

Payload
json
{
  "type": "register",
  "success": true,
  "email": "user@x.com",
  "ip": "203.0.113.5",
  "hwid": "DEVICE-ID",
  "message": "Redeemed LUMEN-…",
  "timestamp": "2026-07-06T21:00:00.000Z"
}
Verify the signature (Node.js)
js
import { createHmac, timingSafeEqual } from "crypto";

function verify(rawBody, signature, secret) {
  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
  return timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}