Skip to main content
PATCH
Partially updates webhook delivery settings for an app.

Request

Authorization
string
required
Bearer <API_KEY> from Console > Developers > Workspace API Keys.
Content-Type
string
application/json

Path parameters

client_id
string
required
Client identifier of the app.

Request body

The secret field cannot be set via this endpoint. Webhook signing secrets are provisioned server-side only. To rotate your signing secret, use POST /apps/{client_id}/webhook-config/rotate-secret.
url
string
Destination URL for webhook delivery.
enabled
boolean
Toggle webhook delivery.
retryAttempts
number
Stored on the app for future per-app customization. Currently not enforced per-app — the delivery pipeline uses a workspace-wide default (3 attempts, exponential backoff at 1s / 5s / 30s). Per-app override is on the roadmap.
timeoutSeconds
number
Stored on the app. Currently the delivery pipeline uses a workspace-wide default (10s per attempt). Per-app override is on the roadmap.
events
string[]
Subscribed webhook events. See the Webhook Event Types reference for the full list. Common values: verification.created, verification.completed, verification.failed, verification.session.timed_out, verification.workflow.cancelled.

Response

Returns the updated webhook configuration.
Webhooks are signed via HMAC-SHA256 using the app’s webhook secret. Each delivery includes an X-Hopae-Signature header in the format t=<unix-timestamp>,v1=<hex-hmac-sha256>. See the Webhook Signature Verification guide for verification code and replay-protection recommendations.