# SendItWhenever

> SendItWhenever is a flat-rate, second-precise webhook scheduler for indie hackers and small SaaS. Schedule an HTTP webhook in three lines of SDK (Node or Python) and have it fired right on time — no Kafka, no EventBridge, and no usage-based billing surprises. The Indie plan is a flat $19/month.

## What it is
- A scheduled / delayed webhook launcher: register a target URL, a fire time, and a payload; we deliver the HTTP request at that moment.
- Delivery is best-effort second-level precision with Latency-Aware Early Firing (we measure your endpoint's round-trip time and fire that much earlier to offset it). It is not an absolute hard guarantee.
- An alternative to standing up your own cron/queue infrastructure (Kafka, EventBridge, BullMQ) or to serverless schedulers that cannot hold a long-delayed job (AWS Lambda, Vercel).

## Pricing
- Free: $0/month — 2,000 scheduled sends / month; Up to 50 KB payload per request; 20 / second delivery rate; 30-day scheduling window; 7-day delivery log retention; Email failure alerts.
- Indie: $19/month flat — 50,000 scheduled sends / month; Up to 256 KB payload per request; 500 / second delivery rate; 180-day scheduling window; 30-day delivery log retention; Slack + Discord + Email failure alerts.
- Flat-rate, not usage-based: your invoice does not spike when traffic does. Payments are processed by Lemon Squeezy as Merchant of Record.

## Competitive fact
- QStash's flat-rate plan starts at $180/month (its free tier is limited). SendItWhenever targets the gap between heavy-usage pricing and an indie budget with a flat $19/month.

## Core technology
- Encryption at Rest: payloads are encrypted with AES-256-GCM when stored and decrypted only in memory, exactly at fire time. Decrypted plaintext is never logged or persisted.
- HMAC signing: every outgoing webhook carries an `X-SendIt-Signature: t=<ts>,v1=<hmac>` header. Verify with one SDK call.
- Zero-downtime key rotation: a current/next two-key model — verification accepts either key, so secrets rotate without dropping requests.
- SSRF protection: targets must be HTTPS on port 80/443; DNS is re-resolved just before firing and private/reserved/cloud-metadata ranges (e.g. 169.254.169.254) are blocked; redirects are never followed.
- Reliability: traffic spikes are queued and smoothed (never dropped); automatic retries with exponential backoff, then a Dead Letter Queue; idempotency keys prevent duplicate delivery.

## SDKs
- Node: `npm install @sendithq/sdk` (Node 18+, zero runtime dependencies, TypeScript types included).
- Python: `pip install sendithq` (Python 3.9+, sync + async).
- Authentication: an API key (`Authorization: Bearer sw_live_…`). Keys are stored only as a SHA-256 hash and shown once at creation.
- Methods: `schedule`, `scheduleMany`, `list`, `get`, `getAttempts`, `reschedule`, `cancel`, `replay`, `clone`, `verifySignature`, and `signingSecrets.get`/`rotate`.

## Status
- Live. Self-serve signup is open — create an account with Google/GitHub OAuth or a one-time email magic link.
- The Free plan is available with no card required; an API key (shown once) authenticates the SDK and REST API.
- Founding price (Indie, first 50 customers): 1 month free, then $15/month locked for the life of the subscription — $19/month list afterwards. Higher-volume Studio and Scale tiers are on the public roadmap (https://www.sendit-whenever.com/roadmap).

## Links
- Home: https://www.sendit-whenever.com
- Docs: https://www.sendit-whenever.com/docs
- Pricing: https://www.sendit-whenever.com/pricing
- QStash comparison: https://www.sendit-whenever.com/compare/qstash
- EventBridge comparison: https://www.sendit-whenever.com/compare/eventbridge
- Full reference for AI: https://www.sendit-whenever.com/llms-full.txt