> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hopae.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Update Webhook Config

> Update webhook delivery settings for an app.

Partially updates webhook delivery settings for an app.

## Request

<ParamField header="Authorization" type="string" required>
  `Bearer <API_KEY>` from Console > Developers > Workspace API Keys.
</ParamField>

<ParamField header="Content-Type" type="string">
  `application/json`
</ParamField>

### Path parameters

<ParamField path="client_id" type="string" required>
  Client identifier of the app.
</ParamField>

### Request body

<Note>
  The `secret` field cannot be set via this endpoint. Webhook signing secrets are provisioned
  server-side only. To rotate your signing secret, use
  [POST /apps/\{client\_id}/webhook-config/rotate-secret](/api-reference/workspace/rotate-webhook-secret).
</Note>

<ParamField body="url" type="string">
  Destination URL for webhook delivery.
</ParamField>

<ParamField body="enabled" type="boolean">
  Toggle webhook delivery.
</ParamField>

<ParamField body="retryAttempts" type="number">
  Stored on the app for future per-app customization. **Currently not enforced per-app** — the delivery pipeline uses a workspace-wide default (3 attempts, exponential backoff at 1s / 5s / 30s). Per-app override is on the roadmap.
</ParamField>

<ParamField body="timeoutSeconds" type="number">
  Stored on the app. **Currently the delivery pipeline uses a workspace-wide default** (10s per attempt). Per-app override is on the roadmap.
</ParamField>

<ParamField body="events" type="string[]">
  Subscribed webhook events. See the [Webhook Event Types](/guides/webhook-signing#event-types) reference for the full list. Common values: `verification.created`, `verification.completed`, `verification.failed`, `verification.session.timed_out`, `verification.workflow.cancelled`.
</ParamField>

## Response

Returns the updated webhook configuration.

<RequestExample>
  ```bash theme={null}
  curl -X PATCH \
    -H "Authorization: Bearer sk_workspace_test_..." \
    -H "Content-Type: application/json" \
    -d '{"events":["verification.completed","verification.failed"],"retryAttempts":3,"timeoutSeconds":10}' \
    "https://sandbox.api.hopae.com/connect/v1/apps/abc123/webhook-config"
  ```
</RequestExample>

<ResponseExample>
  ```json theme={null}
  {
    "url": "https://hooks.example.com/hopae",
    "enabled": true,
    "retryAttempts": 3,
    "timeoutSeconds": 10,
    "secret": "whsec_abc123def456ghi789jkl012mno345",
    "events": [
      "verification.initiated",
      "verification.completed",
      "verification.awaiting_user_action",
      "verification.failed",
      "verification.expired",
      "verification.cancelled"
    ]
  }
  ```
</ResponseExample>

<Info>
  Webhooks are signed via HMAC-SHA256 using the app’s webhook secret. Each delivery includes an
  `X-Hopae-Signature` header in the format `t=<unix-timestamp>,v1=<hex-hmac-sha256>`.
  See the [Webhook Signature Verification](/guides/webhook-signing) guide for verification code
  and replay-protection recommendations.
</Info>