Developer Documentation
Webhooks - Real-time Updates
Scalable Vector Icons for Modern Interfaces. Configure event listeners to receive instant notifications when icon packs are updated or new collections are published.
Webhook Events
IconFlow triggers HTTP POST requests to your endpoint whenever a tracked resource changes state. Select the events your integration requires to minimize payload overhead and reduce latency.
pack.updated
Fires when an existing icon pack receives a version bump, SVG optimization, or metadata correction. Triggered for packs like "Lumina UI v2.4.1" and "Nexus Core v1.8.0".
collection.published
Dispatched when a creator finalizes and publishes a new themed set. Includes bundle size, format compatibility, license tier, and total asset count.
asset.archived
Notifies your system when a deprecated icon pack is moved to the legacy archive. Useful for clearing local caches, updating CDN references, or triggering fallback logic.
Payload Structure
Every webhook delivery contains a standardized JSON envelope. Parse the event_type field first, then extract resource metadata from the data object to route notifications correctly.
{
"event_id": "evt_9f8a7b6c5d4e3f2a1b0c",
"event_type": "pack.updated",
"timestamp": "2024-05-14T09:22:18Z",
"data": {
"pack_id": "pk_lumina_ui_v2",
"version": "2.4.1",
"creator": "Studio Aris",
"format": ["svg", "webp"],
"checksum": "sha256:8f4e3a2b1c0d9e8f7a6b5c4d3e2f1a0b",
"cdn_url": "https://assets.iconflow.dev/lumina-ui-v2.4.1.zip"
}
}All payloads include a checksum field for integrity validation. IconFlow rotates signing keys quarterly; monitor the X-Signature-Key header for rotation notices and update your environment variables accordingly.
Verification & Security
Protect your endpoints by validating request signatures. IconFlow appends an HMAC-SHA256 signature to every delivery using your registered webhook secret.
Signature Validation
Compare the X-IconFlow-Signature header against your computed HMAC. Reject payloads with mismatched signatures or missing timestamps older than 300 seconds to prevent replay attacks.
const expected = crypto.createHmac('sha256', secret)
.update(timestamp + '.' + rawBody)
.digest('hex');
if (signature !== expected) {
return res.status(401).end('Invalid signature');
}Delivery Behavior
IconFlow retries failed deliveries using exponential backoff. Endpoints must respond with a 2xx status code within 5 seconds. Use the Idempotency-Key header to prevent duplicate processing.