Skip to main content
PATCH
/
apps
/
{client_id}
/
webhook-config
curl -X PATCH \
  -H "Authorization: Bearer sk_workspace_test_..." \
  -H "Content-Type: application/json" \
  -d '{"events":["verification.completed","verification.failed"],"retryAttempts":3,"timeoutSeconds":10}' \
  "https://sandbox.api.hopae.com/connect/v1/apps/abc123/webhook-config"

{
  "url": "https://hooks.example.com/hopae",
  "enabled": true,
  "retryAttempts": 3,
  "timeoutSeconds": 10,
  "secret": "whsec_abc123def456ghi789jkl012mno345",
  "events": [
    "verification.initiated",
    "verification.completed",
    "verification.awaiting_user_action",
    "verification.failed",
    "verification.expired",
    "verification.cancelled"
  ]
}

Documentation Index

Fetch the complete documentation index at: https://docs.hopae.com/llms.txt

Use this file to discover all available pages before exploring further.

Partially updates webhook delivery settings for an app.

Request

Authorization
string
required
Bearer <API_KEY> from Console > Developers > Workspace API Keys.
Content-Type
string
application/json

Path parameters

client_id
string
required
Client identifier of the app.

Request body

The secret field cannot be set via this endpoint. Webhook signing secrets are provisioned server-side only. To rotate your signing secret, use POST /apps/{client_id}/webhook-config/rotate-secret.
url
string
Destination URL for webhook delivery.
enabled
boolean
Toggle webhook delivery.
retryAttempts
number
Stored on the app for future per-app customization. Currently not enforced per-app — the delivery pipeline uses a workspace-wide default (3 attempts, exponential backoff at 1s / 5s / 30s). Per-app override is on the roadmap.
timeoutSeconds
number
Stored on the app. Currently the delivery pipeline uses a workspace-wide default (10s per attempt). Per-app override is on the roadmap.
events
string[]
Subscribed webhook events. See the Webhook Event Types reference for the full list. Common values: verification.created, verification.completed, verification.failed, verification.session.timed_out, verification.workflow.cancelled.

Response

Returns the updated webhook configuration. 
curl -X PATCH \
  -H "Authorization: Bearer sk_workspace_test_..." \
  -H "Content-Type: application/json" \
  -d '{"events":["verification.completed","verification.failed"],"retryAttempts":3,"timeoutSeconds":10}' \
  "https://sandbox.api.hopae.com/connect/v1/apps/abc123/webhook-config"

{
  "url": "https://hooks.example.com/hopae",
  "enabled": true,
  "retryAttempts": 3,
  "timeoutSeconds": 10,
  "secret": "whsec_abc123def456ghi789jkl012mno345",
  "events": [
    "verification.initiated",
    "verification.completed",
    "verification.awaiting_user_action",
    "verification.failed",
    "verification.expired",
    "verification.cancelled"
  ]
}
Webhooks are signed via HMAC-SHA256 using the app’s webhook secret. Each delivery includes an X-Hopae-Signature header in the format t=<unix-timestamp>,v1=<hex-hmac-sha256>. See the Webhook Signature Verification guide for verification code and replay-protection recommendations.