Create Webhook

curl --request POST \
  --url https://api.example.com/v1/webhooks \
  --header 'Content-Type: application/json' \
  --data '
{
  "url": "<string>",
  "events": [
    {}
  ],
  "description": "<string>",
  "active": true
}
'

{
  "data": {
    "webhook": {
      "id": "<string>",
      "url": "<string>",
      "events": [
        {}
      ],
      "description": "<string>",
      "active": true,
      "secret": "<string>",
      "created_at": "<string>"
    }
  }
}

POST

webhooks

Create Webhook

curl --request POST \
  --url https://api.example.com/v1/webhooks \
  --header 'Content-Type: application/json' \
  --data '
{
  "url": "<string>",
  "events": [
    {}
  ],
  "description": "<string>",
  "active": true
}
'

{
  "data": {
    "webhook": {
      "id": "<string>",
      "url": "<string>",
      "events": [
        {}
      ],
      "description": "<string>",
      "active": true,
      "secret": "<string>",
      "created_at": "<string>"
    }
  }
}

Request

Headers

Authorization: Bearer wbk_your_api_key_here
Content-Type: application/json

Requires an API key with the webhooks:write permission.

Body Parameters

url

string

required

HTTPS URL that will receive event deliveries. Must start with https://. URLs that resolve to private IP ranges are rejected (SSRF protection).

events

array

required

Array of event type strings to subscribe to. See Webhooks for the full list of 28 supported events.

description

string

Optional human-readable description (max 200 chars).

active

boolean

default:"true"

Whether the webhook should be active immediately. Set to false to register but pause deliveries.

Response

The secret field is returned only once — at creation time. Store it in a secure secret manager immediately. It cannot be retrieved later; if lost, delete and recreate the webhook to rotate.

data

object

Show properties

webhook

object

Show Webhook object

string

Unique webhook ID (UUID)

url

string

The HTTPS target URL

events

array

Subscribed event types

description

string

Description

active

boolean

Whether deliveries are enabled

secret

string

Returned only on creation. The signing secret for HMAC-SHA256 verification. Prefixed with whsec_.

created_at

string

ISO 8601 timestamp

curl -X POST https://data.leadlex.com/functions/v1/api-gateway/v1/webhooks \
  -H "Authorization: Bearer wbk_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/leadlex/webhook",
    "events": ["contact.created", "deal.updated"],
    "description": "Production CRM sync",
    "active": true
  }'

Example Response

{
  "data": {
    "webhook": {
      "id": "7f3c4d2a-1b8e-4a9c-9d6f-2e5b8c7a1f3d",
      "url": "https://example.com/leadlex/webhook",
      "events": ["contact.created", "deal.updated"],
      "description": "Production CRM sync",
      "active": true,
      "secret": "whsec_9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f",
      "created_at": "2026-04-17T14:23:05Z"
    }
  }
}

Errors

Status	Code	Description
400	`invalid_url`	URL is not HTTPS, is malformed, or resolves to a private IP range
400	`invalid_events`	One or more event names are not recognized
400	`missing_required_field`	`url` or `events` is missing
401	`invalid_key`	Invalid or expired API key
403	`insufficient_permissions`	Missing `webhooks:write` permission
409	`duplicate_webhook`	A webhook with this URL already exists
429	`rate_limited`	Rate limit exceeded

List Webhooks Update Webhook

​Request

​Headers

​Body Parameters

​Response

​Example Response

​Errors

Request

Headers

Body Parameters

Response

Example Response

Errors