Webhook Endpoints
Each organization can configure multiple endpoints to receive event notifications.
Endpoint Fields
| Field | Description |
|---|---|
| URL | HTTPS address that will receive notifications |
| Description | Endpoint description (max 255 characters) |
| Events | List of subscribed event types |
| Secret | HMAC-SHA256 key for signature validation |
| Active | Whether the endpoint is enabled |
Creating an Endpoint
Upon creation, the system automatically generates a secret (whsec_...) that is shown only at creation time. Store it securely — it is required to validate webhook signatures.
Webhook Signature
Each delivery includes a signature header:
X-Webhook-Signature: t=<timestamp>,v1=<sha256_hex>
Verification
- Extract the timestamp and signature from the header
- Reconstruct:
$\{timestamp\}.$\{payload_json\} - Compute HMAC-SHA256 using the secret
- Compare with the signature (timing-safe comparison)
Secret Rotation
When you suspect the secret has been compromised, use secret rotation. A new secret is generated and the previous one is invalidated immediately.
Webhook Test
Send a test payload to verify that the endpoint is configured correctly. The result includes the HTTP status and the received response.
Automatic Deactivation
After 10 consecutive delivery failures, the endpoint is automatically deactivated. To reactivate, fix the issue and update the endpoint to active.
SSRF Protection
URLs are validated to reject private IPs and localhost, preventing Server-Side Request Forgery attacks.