Getting Started

OverviewQuickstartArchitecture

API Reference

Idempotent RecordsWebhooksContractsAuth / Keys

SDK

InstallUsage

Guides

IdempotencyWebhook GatewayProvider Verification MatrixWebhook ConfigurationData RetentionControlled LaunchSecurity and Data ProtectionSecurity Review PackTraffic ProtectionObservability DashboardChargeback SimulationOnboarding FlowBackoffice Overview

Examples

PaymentsStripePayPal / Braintree StatusGeneric HMACShopifyGitHub

Controlled Launch

Syllecta can be used for free evaluation during the controlled launch period. This is a pilot/evaluation contract, not approval for production-critical traffic by default.

Starter Evaluation Package

  • One Starter Evaluation workspace.
  • 1,000 free events per month.
  • No billing setup or payment method required.
  • Email verification before workspace access.
  • Paid plans and self-service upgrades are not available yet.
  • Production-critical traffic, sustained high volume, and sensitive regulated payloads require explicit approval first.

What Evaluation Covers

  • Sign in, dashboard, and observability views.
  • Sandbox webhook ingestion and delivery tests.
  • Chargeback simulation flows.
  • Webhook failure triage, retry, and replay behavior.
  • API key and webhook secret management from the tenant console.

What Requires Approval

  • Production payment webhooks.
  • Production-critical callbacks.
  • High-volume load tests.
  • Sustained high-volume or bursty provider traffic that needs tenant/provider-specific capacity sizing.
  • Payloads containing sensitive card data, access tokens, passwords, session cookies, long-lived secrets, or unnecessary personal data.
  • Internal, private, localhost, or non-public callback URLs.

Use the Traffic protection checklist before approving any high-volume traffic.

Credential Handling

Tenant users should create and rotate their own API keys in the console. API key values are shown once and are stored as masked/hash-backed records after creation.

For provider webhooks, tenant users should paste provider-issued signing material only for providers that are enabled for their tenant. Stripe, Shopify, GitHub, and Generic HMAC are the default supported paths; PayPal requires controlled rollout approval; Braintree is reserved until its verifier is enabled. The Generate action is only for Generic HMAC/test-mode flows where the tenant controls both sides of the shared secret.

Syllecta admins may revoke, disable, or rotate credentials for support and emergency recovery, but admin-to-tenant secret handoff is not the normal operating model.

Support Model

During controlled launch, support is manual and best-effort through the agreed pilot channel. Response time is not an SLA unless a separate written agreement says otherwise.

When reporting an issue, include:

  • tenant/workspace name;
  • provider;
  • approximate event time;
  • event id or correlation id when available;
  • whether the issue affects sandbox or approved production traffic.

Do not paste raw secrets or sensitive payloads into support messages.

Offboarding

If evaluation ends or a workspace should be paused:

  • disable affected users;
  • revoke active API keys;
  • deactivate or rotate webhook secrets;
  • stop provider-side webhooks pointed at Syllecta;
  • decide whether test webhook/simulation data should be preserved, anonymized, or deleted when allowed by retention and audit rules.

Financial, audit, and security records may be retained where needed for operational integrity.