Webhooks

Webhooks let organizations receive real-time HTTP notifications when events occur in their workspace. Each organization can register multiple webhook endpoints and subscribe to specific events.

Webhook Model

The Webhook model stores endpoint configuration:

• organization_id — the organization this webhook belongs to
• url — the HTTPS endpoint that will receive POST requests
• secret — a shared secret used for HMAC signature verification
• events — JSON array of event names to subscribe to
• enabled — boolean toggle to pause/resume delivery
• last_triggered_at — timestamp of the most recent delivery

Endpoints

List Webhooks

GET /api/organizations/{org}/webhooks

Returns all webhooks for the organization.

Create Webhook

POST /api/organizations/{org}/webhooks

{
    "url": "https://example.com/webhooks",
    "events": ["member.invited", "member.joined", "api_key.created"],
    "enabled": true
}

A secret is auto-generated and returned in the response. Store it securely — it is used to verify webhook signatures.

Update Webhook

PATCH /api/organizations/{org}/webhooks/{id}

{
    "url": "https://example.com/webhooks/v2",
    "events": ["*"],
    "enabled": true
}

Delete Webhook

DELETE /api/organizations/{org}/webhooks/{id}

Permanently removes the webhook and its delivery history.

View Deliveries

GET /api/organizations/{org}/webhooks/{id}/deliveries

Returns the recent delivery history for a webhook (last 50 deliveries).

Signature Verification

Every webhook request includes an HMAC-SHA256 signature in the X-Signature header. To verify:

$payload = file_get_contents('php://input');
$signature = hash_hmac('sha256', $payload, $webhookSecret);

if (hash_equals($signature, $request->header('X-Signature'))) {
    // Signature is valid
}

Always verify signatures before processing webhook payloads to ensure they originated from LaunchKit.