https://api.veriko.mx/v1/webhooks Create a webhook endpoint
How-to guide →Registers a new HTTPS endpoint for receiving event notifications. The signing secret is returned exclusively in this response and cannot be retrieved later — store it securely. Validate the incoming body with HMAC-SHA256 against the X-{Brand}-Signature: sha256=<hex> header. After creating the endpoint, send a synthetic delivery with POST /v1/webhooks/{id}/test to confirm the receiver returns 2xx before enabling production traffic.
| Parameter | Type | Required | Description |
|---|---|---|---|
url | string (uri) (?–2048) | required | HTTPS URL that receives the webhook. Must be HTTPS. |
events | array<string> (items: 1–10) | required | Events the endpoint subscribes to (1–10). |
description | string (?–255) | optional | Descriptive label for the endpoint. |
curl -X POST 'https://api.veriko.mx/v1/webhooks' \
-H 'Authorization: Bearer mxcep_••••' \
-H 'Content-Type: application/json' \
-d '{
"url": "https://webhook.example.com/platform",
"events": [
"validation.completed",
"validation.failed",
"validation.error",
"billing.payment_succeeded",
"billing.payment_failed"
],
"description": "Webhook plataforma completo"
}'
Python example — coming soon.
JavaScript example — coming soon.
PHP example — coming soon.
| Field | Type | Description |
|---|---|---|
type * | string | |
id * | string (uuid) | Endpoint identifier. |
attributes * | object | Canonical webhook endpoint attributes (receiver URL, subscribed events, status, and secret). |
url | string (uri) | HTTPS receiver URL. Production rejects plain HTTP, URLs resolving to private IPs (SSRF), and URLs `>2048` chars. |
events | array | List of subscribed events. Maximum 10. |
description | string | null nullable | Free-form endpoint label. |
status | string | `active` receives deliveries. `disabled` was manually paused. `auto_disabled` was disabled by the platform after exceeding `webhooks.auto_disable_threshold` consecutive failures. |
consecutive_failures | integer | Consecutive failures counter. Resets on a success. |
last_delivery_at | union | UTC timestamp of the last delivery attempt (any status). `null` when the endpoint hasn't received any delivery yet. |
secret | string | Shared secret for signature verification. **Only present** in the create and rotate-secret responses; omitted from every other response. |
secret_hint | string | Last 4 chars of the secret prefixed with `...`. Present on any response where the full `secret` is hidden. |
created_at | string (date-time) | ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable. |
updated_at | string (date-time) | ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable. |
| Status | Class | Description | Body |
|---|---|---|---|
| 201 | 2xx | Endpoint created. The `secret` field only appears in this response; store it securely to verify `X-{Brand}-Signature: sha256=<hex>` signatures (HMAC-SHA256 over the body). | No body |
| 401 | 4xx | Authentication is required or the provided credentials are invalid. | ErrorResponse |
| 403 | 4xx | Permisos insuficientes | ErrorResponse |
| 422 | 4xx | Invalid data. Possible codes: `webhook_url_required`, `webhook_url_too_long`, `webhook_url_invalid_format`, `webhook_url_not_https`, `webhook_events_required`, `webhook_events_too_many`, `webhook_event_invalid`, `webhook_limit_reached`. | ErrorResponse |
| 429 | 4xx | Rate limit exceeded | ErrorResponse |
| Status | Code | Detail |
|---|---|---|
| 401 | unauthorized | Invalid or missing authentication credentials. Envelope
|
| 403 | forbidden | You do not have permission to access this resource. Envelope
|
| 429 | rate_limit_exceeded | Rate limit exceeded. Try again in 45 seconds. Envelope
Response headers
|