Skip to content

Documentation

Webhooks

Subscribe to four request events. Every payload is HMAC SHA-256 signed so your receiver can verify authenticity.

Where:
Settings → Integrations → Webhooks
Permission:
MANAGE_INTEGRATIONS
Updated:
July 2026

Overview

  • Four subscription event types are emitted: request.created, request.updated, request.resolved, and approval.decided. (A status change is delivered as request.updated; resolving a request fires request.resolved.) Automations can additionally POST to one specific endpoint via the Call a webhook action — those arrive as automation.fired regardless of the endpoint's subscriptions.
  • Payloads are HMAC SHA-256 signed in the x-eventier-signature header, computed over the raw JSON body. The event name is also sent in an x-eventier-event header.
  • The signing secret (prefixed whsec_) is generated and shown once when the webhook is created.
  • Failed deliveries are retried up to three times in immediate succession. The webhook detail page shows delivery history with response codes and bodies.

Step by step

  1. 01

    Create a webhook

    Settings → Integrations → Webhooks → New. Provide a label, your endpoint URL, and check the events to subscribe to. Copy the signing secret — it's shown only once.

  2. 02

    Verify the signature

    On your endpoint, compute HMAC SHA-256 over the raw request body with the signing secret, and compare it to the value in the x-eventier-signature header. Reject on mismatch.

  3. 03

    Handle retries

    A non-2xx response triggers up to three immediate retry attempts. Make your handler idempotent, and inspect the delivery history on the webhook detail page to debug failures.

  4. 04

    Roll the secret

    The signing secret is shown only at creation. To roll it, create a new webhook endpoint with the same URL, cut over your verifier, then delete the old one.