GET https://api.veriko.mx/v1/webhooks

List webhook endpoints

Audience
public
Auth
API key
Permission
webhooks:read
How-to guide →

Returns all webhook endpoints registered by the authenticated user, with their current status (active, disabled) and subscribed events. The signing secret is not exposed here — it appears only once in the POST /v1/webhooks response when the endpoint is created. To verify an endpoint is still reachable use POST /v1/webhooks/{id}/test.

Request
curl -X GET 'https://api.veriko.mx/v1/webhooks' \
  -H 'Authorization: Bearer mxcep_••••'

Python example — coming soon.

JavaScript example — coming soon.

PHP example — coming soon.

Response 200 WebhookEndpoint — List of the user's webhook endpoints with their status and subscribed events.
Field Type Description
type * string

id * string (uuid)

Endpoint identifier.

attributes * object

Canonical webhook endpoint attributes (receiver URL, subscribed events, status, and secret).

url string (uri)

HTTPS receiver URL. Production rejects plain HTTP, URLs resolving to private IPs (SSRF), and URLs `>2048` chars.

events array

List of subscribed events. Maximum 10.

description string | null nullable

Free-form endpoint label.

status string

`active` receives deliveries. `disabled` was manually paused. `auto_disabled` was disabled by the platform after exceeding `webhooks.auto_disable_threshold` consecutive failures.

consecutive_failures integer

Consecutive failures counter. Resets on a success.

last_delivery_at union

UTC timestamp of the last delivery attempt (any status). `null` when the endpoint hasn't received any delivery yet.

secret string

Shared secret for signature verification. **Only present** in the create and rotate-secret responses; omitted from every other response.

secret_hint string

Last 4 chars of the secret prefixed with `...`. Present on any response where the full `secret` is hidden.

created_at string (date-time)

ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable.

updated_at string (date-time)

ISO 8601 timestamp in UTC with explicit `Z` suffix. Example: `"2026-05-01T05:14:38Z"`. Every datetime field uses this shape. The descriptor at `meta.datetime` makes the contract runtime-assertable.

Response status codes GET /v1/webhooks
Status Class Description Body
200 2xx List of the user's webhook endpoints with their status and subscribed events. No body
401 4xx Authentication is required or the provided credentials are invalid. ErrorResponse
403 4xx Permisos insuficientes ErrorResponse
429 4xx Rate limit exceeded ErrorResponse
Errors from GET /v1/webhooks
Status Code Detail
401 unauthorized

Invalid or missing authentication credentials.

Envelope
meta.request_id
c4d5e6f7a8b9
403 forbidden

You do not have permission to access this resource.

Envelope
meta.request_id
d5e6f7a8b9c0
429 rate_limit_exceeded

Rate limit exceeded. Try again in 45 seconds.

Envelope
meta.request_id
f7a8b9c0d1e2
Response headers
  • Retry-After : integer — Seconds to wait before retrying. Matches the endpoint's rate-limit window (typically 60s for list endpoints, 1-5s for in-flight idempotent operations).
  • X-RateLimit-Limit : integer — Configured request cap for this bucket (emitted only on 429).
  • X-RateLimit-Remaining : integer — Requests remaining in the current window — always 0 at the moment of the 429 (emitted only on 429).
  • X-RateLimit-Reset : integer — Absolute Unix epoch (seconds) when the window resets. Emitted only on 429, alongside Retry-After. Per-endpoint overrides exist (e.g. `rate_limited_login`).