CreateWebhookEndpointResp
- Type: object
Returned by
POST /webhook-endpoints— extends the standardWebhookEndpointRespwith the signingsecret. The secret is shown ONCE here and never again — store it immediately. To recover from a lost secret, rotate viaPOST /webhook-endpoints/{id}/rotate-secret.- secretType: stringrequired
Signing secret for verifying the authenticity of webhook deliveries.
Algorithm:
HMAC-SHA256(secret, '<t>.<raw-body>'), where<t>is the unix-millisecond timestamp the signature was computed against.Header:
X-Webhook-Signature: t=<t>,v1=<sig>[,v1=<sig>...]. Thet=part carries the timestamp,v1=carries the scheme version, and multiplev1=entries may appear during a rotation grace window — verification with either of your stored secrets passes.Replay protection: reject events whose
t=is more than 5 minutes from your server's clock — prevents an attacker who captures a valid signed payload from re-sending it later.Returned only here at create time — store it immediately, it cannot be retrieved again.
- createdType: stringFormat: date-time
At When the webhook endpoint was created.
- descriptionType: string
Free-text label set on create / update.
- eventType: array string[] · WebhookEventType[]enum
Types Event types currently subscribed.
values- workflow
.started - workflow
.failed - workflow
.completed - workflow
.declined - workflow
.voided
- idType: string
Webhook endpoint ID. Stable for the life of the config — survives pause / resume and is preserved across secret rotations.
- isType: boolean
Active truewhen the webhook is firing;falsewhen paused. Paused webhooks don't count against the per-namespace cap of 4 active webhooks. - retryType: object
Config Retry policy applied to failed deliveries (network errors, non-2xx responses).
- updatedType: stringFormat: date-time
At Last update to any field (URL, eventTypes, description, isActive, secret rotation).
- urlType: stringFormat: uri
Endpoint currently receiving deliveries for this config.
