WebhookEndpoint
Webhook endpoint configured by the user. Delivery signatures use HMAC-SHA256 over the raw JSON body with `secret` as the key; the signature ships in `X-{Brand}-Signature: sha256=<hex>` alongside `X-{Brand}-Event`, `X-{Brand}-Delivery-Id` and `X-{Brand}-Timestamp`. The `X-{Brand}-Timestamp` value is ISO 8601 UTC (`format: date-time`, `Z` suffix), e.g. `2026-05-29T12:00:00Z`. The `secret` is returned in cleartext ONLY on create (`POST /webhooks`) and rotate (`POST /webhooks/{id}/regenerate-secret`); every other response substitutes `secret_hint` (last 4 characters).
Properties
| Field | Type | Description |
|---|---|---|
type * | string | |
id * | string (uuid) | Endpoint identifier. |
attributes * | object | Canonical webhook endpoint attributes (receiver URL, subscribed events, status, and secret). |
url | string (uri) | HTTPS receiver URL. Production rejects plain HTTP, URLs resolving to private IPs (SSRF), and URLs `>2048` chars. |
events | array | List of subscribed events. Maximum 10. |
description | string | null | Free-form endpoint label. |
status | string | `active` receives deliveries. `disabled` was manually paused. `auto_disabled` was disabled by the platform after exceeding `webhooks.auto_disable_threshold` consecutive failures. |
consecutive_failures | integer | Consecutive failures counter. Resets on a success. |
last_delivery_at | union | UTC timestamp of the last delivery attempt (any status). `null` when the endpoint hasn't received any delivery yet. |
secret | string | Shared secret for signature verification. **Only present** in the create and rotate-secret responses; omitted from every other response. |
secret_hint | string | Last 4 chars of the secret prefixed with `...`. Present on any response where the full `secret` is hidden. |
created_at | string (date-time) | ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable. |
updated_at | string (date-time) | ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable. |
Used in operations
GET /v1/webhooksPOST /v1/webhooksPUT /v1/webhooks/{id}POST /v1/webhooks/{id}/regenerate-secret