Skip to main content

Overview

Cedar’s workflow automation can send real-time event notifications to your systems via webhooks. When a configured event occurs (such as a car being placed at a station), Cedar POSTs a signed JSON payload to your endpoint.
Webhooks let you integrate Cedar events into your own systems — ERP platforms, notification services, or any HTTP endpoint that can receive JSON.

How It Works

1

Event Triggers

A workflow event fires in ARMS (e.g. car placed at a station).
2

Payload Built

Cedar constructs a JSON payload with event details, equipment information, and timestamps.
3

Signed & Sent

The payload is signed with Ed25519 and POSTed to your configured webhook URL.
4

You Verify

Your endpoint verifies the signature using Cedar’s public key, then processes the event.

Configuration

Each webhook effect requires two inputs when you set up the workflow in ARMS:
InputDescription
Webhook URLThe HTTPS endpoint where Cedar sends the POST request.
AuthorizationA bearer token or other credential sent in the Authorization header.
Always use HTTPS endpoints in production. HTTP endpoints will transmit your authorization token in plaintext.

HTTP Headers

Every webhook request includes these headers:
HeaderDescriptionExample
Content-TypeAlways application/jsonapplication/json
AuthorizationYour configured authorization valueBearer eyJhbGci...
X-Webhook-TimestampUnix epoch (seconds) when the request was sent1709651400
X-Webhook-SignatureBase64-encoded Ed25519 signaturea3F0eGp...
X-Webhook-KeyIdIdentifier for the signing key usedcedar-webhooks-2026
X-Webhook-IdUUID v4 for deduplication550e8400-e29b-41d4-...

Signature Verification

Cedar signs every webhook payload with Ed25519 so you can verify that requests genuinely came from Cedar and haven’t been tampered with.

Public Key

Use this public key to verify webhook signatures: 
MCowBQYDK2VwAyEAuePoYCHOJvZJzlnsxfEv3mtssVKxkDAZsDHUE9Z3TW8=
Store this public key in your application configuration. It does not change between environments.

How Signing Works

The signature covers a combination of the timestamp and the request body: 
signing_input = TIMESTAMP + "." + CANONICAL_JSON_BODY
Where:
  • TIMESTAMP is the value of the X-Webhook-Timestamp header (string)
  • CANONICAL_JSON_BODY is the raw request body bytes (JSON with sorted keys and no extra whitespace)
The signature is the Ed25519 signature of signing_input, base64-encoded in the X-Webhook-Signature header.

Security Best Practices

Verify every request

Always verify the X-Webhook-Signature before processing the payload. This confirms the request came from Cedar and hasn’t been modified in transit.
Compare X-Webhook-Timestamp against the current time. Reject requests older than 5 minutes to prevent replay attacks.
Network retries can cause duplicate deliveries. Store processed X-Webhook-Id values and skip duplicates.
Return a 2xx response within 30 seconds. If processing takes longer, acknowledge the request immediately and process asynchronously.

Available Webhook Effects

Car Actually Placed

Fires when a car is placed at a station or track. Includes equipment details, station, and loaded/empty status.

Train Arrival

Fires when a train arrives at a station. Includes equipment list, station, loaded/empty status, and train number.

Train Set

Fires when a train consist is defined. Includes wagon list, departure/arrival stations with names, and train ID.

Questions?

For questions about webhook configuration or integration, contact your Cedar account team or email support@cedarai.com.