What this webhook does

• Accepts still images (JPEG) sent by your camera/bridge to a unique URL.
• Stores only the latest image per camera webhook; not a history.
• Intended for low-detail monitoring (presence/health), not high-res surveillance.

Your responsibilities

• Keep your webhook secret and HMAC signature secret private. Treat them like a password.
• If you use the optional X-Webhook-Client-Hash, configure the same value in your device and in the dashboard.
• Rotate the webhook secret if you suspect exposure.
• Disable or delete the webhook if a device is lost/compromised.

Security controls we enforce

• HTTPS only; bearer secret required.
• Optional HMAC + timestamp (recommended): adds replay protection.
• Optional client hash binding: only requests with the matching X-Webhook-Client-Hash are accepted when set.
• Rate limits and size/pixel caps on images.
• Images are re-encoded, metadata stripped, downscaled (default 800x600, quality 60) to limit detail and storage.
• Images are stored privately under your account directory, not web-accessible.

Recommended device configuration

• Send JPEG with headers:
  • Authorization: Bearer <your webhook secret>
  • (If enabled) X-Webhook-Timestamp: <unix> and X-Webhook-Signature: sha256=<HMAC>
  • (If set) X-Webhook-Client-Hash: <your client hash>
• Keep clock reasonably accurate (HMAC timestamp window ~5 minutes).
• Keep payloads small (<5 MB) and at modest resolution; the service will downscale.

When to rotate secrets

• Device lost/stolen.
• You shared a screenshot containing the webhook URL/secret.
• You see unexpected activity in logs/last-seen time.

Privacy considerations

• Images may contain people/PII. Obtain consent where required.
• Do not rely on this feature for high-security or facial identification; images are intentionally low detail.

Need help?

• Regenerate secret or disable the webhook from the dashboard.
• Contact support if you suspect misuse.