← Back to schema index

WebhookEndpoint

Webhook endpoint configured by the user. Delivery signatures use HMAC-SHA256 over the raw JSON body with `secret` as the key; the signature ships in `X-{Brand}-Signature: sha256=<hex>` alongside `X-{Brand}-Event`, `X-{Brand}-Delivery-Id` and `X-{Brand}-Timestamp`. The `X-{Brand}-Timestamp` value is ISO 8601 UTC (`format: date-time`, `Z` suffix), e.g. `2026-05-29T12:00:00Z`. The `secret` is returned in cleartext ONLY on create (`POST /webhooks`) and rotate (`POST /webhooks/{id}/regenerate-secret`); every other response substitutes `secret_hint` (last 4 characters).

Properties

Field Type Description
type * string
id * string (uuid) Endpoint identifier.
attributes * object Canonical webhook endpoint attributes (receiver URL, subscribed events, status, and secret).
url string (uri) HTTPS receiver URL. Production rejects plain HTTP, URLs resolving to private IPs (SSRF), and URLs `>2048` chars.
events array List of subscribed events. Maximum 10.
description string | null Free-form endpoint label.
status string `active` receives deliveries. `disabled` was manually paused. `auto_disabled` was disabled by the platform after exceeding `webhooks.auto_disable_threshold` consecutive failures.
consecutive_failures integer Consecutive failures counter. Resets on a success.
last_delivery_at union UTC timestamp of the last delivery attempt (any status). `null` when the endpoint hasn't received any delivery yet.
secret string Shared secret for signature verification. **Only present** in the create and rotate-secret responses; omitted from every other response.
secret_hint string Last 4 chars of the secret prefixed with `...`. Present on any response where the full `secret` is hidden.
created_at string (date-time) ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable.
updated_at string (date-time) ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable.

Used in operations

  • GET /v1/webhooks
  • POST /v1/webhooks
  • PUT /v1/webhooks/{id}
  • POST /v1/webhooks/{id}/regenerate-secret