Create a publicly reachable HTTPS endpoint in your application to receive POST requests from EasyPost
POST to https://api.easypost.com/v2/webhooks with url and optionally webhook_secret to register the endpoint; store the returned id
Optionally filter event types by including an event_types array (e.g. tracker.updated, tracker.created) in the creation request
On each inbound webhook request, validate authenticity by computing an HMAC-SHA256 of the raw request body using your webhook_secret and comparing it to the X-Hmac-Signature header
Parse the result.status field in tracker.updated payloads to map carrier statuses to your internal delivery states
Return HTTP 200 within 7 seconds; if processing takes longer, acknowledge immediately and process asynchronously to prevent EasyPost retries
Known gotchas
EasyPost sends all event types to a webhook by default if no event_types filter is specified; high-volume accounts can receive thousands of events per hour — filter to only the events your application needs
Webhook retries occur if no 2xx response is received within 7 seconds; duplicate event delivery is possible, so use the event id field to implement idempotent processing
The X-Hmac-Signature header is only present when a webhook_secret was set at registration time; without it there is no authenticity guarantee and any actor can POST fake events to your endpoint
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp