Webhooks
Subscribe to four request events. Every payload is HMAC SHA-256 signed so your receiver can verify authenticity.
- Where:
- Settings → Integrations → Webhooks
- Permission:
- MANAGE_INTEGRATIONS
- Updated:
- July 2026
Overview
- Four subscription event types are emitted: request.created, request.updated, request.resolved, and approval.decided. (A status change is delivered as request.updated; resolving a request fires request.resolved.) Automations can additionally POST to one specific endpoint via the Call a webhook action — those arrive as automation.fired regardless of the endpoint's subscriptions.
- Payloads are HMAC SHA-256 signed in the x-eventier-signature header, computed over the raw JSON body. The event name is also sent in an x-eventier-event header.
- The signing secret (prefixed whsec_) is generated and shown once when the webhook is created.
- Failed deliveries are retried up to three times in immediate succession. The webhook detail page shows delivery history with response codes and bodies.
Step by step
- 01
Create a webhook
Settings → Integrations → Webhooks → New. Provide a label, your endpoint URL, and check the events to subscribe to. Copy the signing secret — it's shown only once.
- 02
Verify the signature
On your endpoint, compute HMAC SHA-256 over the raw request body with the signing secret, and compare it to the value in the x-eventier-signature header. Reject on mismatch.
- 03
Handle retries
A non-2xx response triggers up to three immediate retry attempts. Make your handler idempotent, and inspect the delivery history on the webhook detail page to debug failures.
- 04
Roll the secret
The signing secret is shown only at creation. To roll it, create a new webhook endpoint with the same URL, cut over your verifier, then delete the old one.