Troubleshooting

Signature Verification Failing

Symptom: WebhookVerificationError or equivalent when verifying.

Cause	Fix
Parsing the body before verifying	Pass the raw bytes to the verification function, not a re-serialized object
CSRF middleware stripping headers	Disable CSRF for your webhook endpoint path
Wrong signing secret	Check you are using the secret for the correct endpoint (each endpoint has its own)

Events Not Being Received

Check your endpoint URL. Confirm it is reachable over HTTPS from the public internet
Check the delivery log. Open the Webhooks page, select your endpoint, and check the message attempts for HTTP errors or timeouts.
Check your endpoint is enabled. Endpoints are auto-disabled after 5 days of continuous failure. Re-enable in the platform.
Check your subscription. Confirm you are subscribed to the event types you expect. If no event types are selected, all events are delivered.

Endpoint Returning Non-2xx

Any response other than 2xx is treated as a delivery failure and triggers a retry. Common mistakes:

Returning 4xx from signature verification failure: this causes retries even though the request was intentionally rejected. For permanent rejections (e.g. wrong endpoint), return 2xx and discard.
Timing out (>15 seconds): process webhooks asynchronously and return 2xx immediately.

Receiving Duplicate Events

This is expected. Medallion guarantees at-least-once delivery. Use the webhook-id header as a deduplication key. See Retry & Reliability.

Out-of-Order Events

Events are not guaranteed to arrive in order. Use the updated_at field in the payload to determine the correct sequence. If you receive an event with an updated_at earlier than the last event you processed for the same resource, discard it.

Replaying Missed Events

Open the Webhooks page, select your endpoint, and go to the Logs tab. Select the message you want to replay and click Replay. This re-delivers the original payload to your endpoint. Events can be replayed within 90 days of delivery.