postmark-webhooks
Facilitates the setup of Postmark webhooks for tracking email events like delivery, bounces, and opens, enhancing email marketing strategies.
Install this skill
Security score
The postmark-webhooks skill was audited on Mar 8, 2026 and we found 41 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 77 | curl "https://api.postmarkapp.com/webhooks" \ |
Webhook reference - potential data exfiltration
| 2 | name: postmark-webhooks |
Webhook reference - potential data exfiltration
| 3 | description: Use when setting up Postmark webhooks for tracking email delivery, bounces, opens, clicks, spam complaints, or subscription changes — includes webhook configuration, payload handling, and |
Webhook reference - potential data exfiltration
| 10 | # Postmark Webhooks |
Webhook reference - potential data exfiltration
| 14 | Postmark webhooks deliver real-time event data to your endpoint via HTTP POST. Use webhooks to track what happens after you send an email. |
Webhook reference - potential data exfiltration
| 27 | 1. **Create a webhook** via API or [Postmark dashboard](https://account.postmarkapp.com) (Server → Webhooks) |
Webhook reference - potential data exfiltration
| 33 | ## Webhook API |
Webhook reference - potential data exfiltration
| 39 | | `/webhooks` | `GET` | List all webhooks for a message stream | |
Webhook reference - potential data exfiltration
| 40 | | `/webhooks/{webhookid}` | `GET` | Get a specific webhook | |
Webhook reference - potential data exfiltration
| 41 | | `/webhooks` | `POST` | Create a webhook | |
Webhook reference - potential data exfiltration
| 42 | | `/webhooks/{webhookid}` | `PUT` | Update a webhook | |
Webhook reference - potential data exfiltration
| 43 | | `/webhooks/{webhookid}` | `DELETE` | Delete a webhook | |
Webhook reference - potential data exfiltration
| 45 | ### Create a Webhook |
Webhook reference - potential data exfiltration
| 51 | const webhook = await client.createWebhook({ |
Webhook reference - potential data exfiltration
| 52 | Url: 'https://yourdomain.com/webhooks/postmark', |
Webhook reference - potential data exfiltration
| 55 | Username: 'webhook-user', |
Webhook reference - potential data exfiltration
| 56 | Password: 'webhook-secret' |
Webhook reference - potential data exfiltration
| 71 | console.log('Webhook created:', webhook.ID); |
Webhook reference - potential data exfiltration
| 77 | curl "https://api.postmarkapp.com/webhooks" \ |
Webhook reference - potential data exfiltration
| 83 | "Url": "https://yourdomain.com/webhooks/postmark", |
Webhook reference - potential data exfiltration
| 107 | ## Webhook Payloads |
Webhook reference - potential data exfiltration
| 112 | app.post('/webhooks/postmark', (req, res) => { |
Webhook reference - potential data exfiltration
| 150 | Use the Bounces API and Suppression Management API alongside webhooks for comprehensive bounce handling. |
Webhook reference - potential data exfiltration
| 154 | ## Webhook Management |
Webhook reference - potential data exfiltration
| 156 | See [references/webhook-setup.md](references/webhook-setup.md) for list, update, delete, and retry schedule details. |
Webhook reference - potential data exfiltration
| 163 | | Slow webhook handling | Respond 200 immediately, then process in background (queue, worker) | |
Webhook reference - potential data exfiltration
| 164 | | No authentication | Use HTTP Basic Auth or custom headers to verify webhook source | |
Webhook reference - potential data exfiltration
| 167 | | Duplicate handling | Webhooks may be delivered more than once — use `MessageID` for deduplication | |
Webhook reference - potential data exfiltration
| 168 | | Missing MessageStream filter | Specify `MessageStream` when creating webhooks to avoid cross-stream events | |
Webhook reference - potential data exfiltration
| 169 | | Not tracking metadata | Include `Metadata` when sending to correlate webhook events with your records | |
Webhook reference - potential data exfiltration
| 173 | - Webhooks are configured per message stream — create separate webhooks for `outbound` and `broadcast` |
Webhook reference - potential data exfiltration
| 174 | - Always respond HTTP 200 immediately — process webhook data asynchronously |
Webhook reference - potential data exfiltration
| 175 | - Postmark retries failed webhook deliveries up to **10 times** over ~10.5 hours with escalating intervals: 1 min, 5 min, 10 min, 10 min, 10 min, 15 min, 30 min, 1 hr, 2 hrs, 6 hrs. A **403 response** |
Webhook reference - potential data exfiltration
| 176 | - Use `MessageID` to correlate webhook events with sent emails |
Webhook reference - potential data exfiltration
| 177 | - `Metadata` from the original send is included in all webhook payloads |
Webhook reference - potential data exfiltration
| 180 | - Bounce webhooks fire for bounces and blocks — check the `Type` field to distinguish |
Access to .env file
| 49 | const client = new postmark.ServerClient(process.env.POSTMARK_SERVER_TOKEN); |
External URL reference
| 27 | 1. **Create a webhook** via API or [Postmark dashboard](https://account.postmarkapp.com) (Server → Webhooks) |
External URL reference
| 52 | Url: 'https://yourdomain.com/webhooks/postmark', |
External URL reference
| 77 | curl "https://api.postmarkapp.com/webhooks" \ |
External URL reference
| 83 | "Url": "https://yourdomain.com/webhooks/postmark", |
Install this skill with one command
/learn @activecampaign/postmark-webhooks