Webhooks
Receive real-time notifications when data changes. Webhooks are configured separately from API keys in Admin > Webhooks, and fire for both CMS and external API writes.
Configuration
Create a webhook in Admin > Webhooks by providing a URL endpoint and optional event subscriptions.
- URL - The HTTPS endpoint that will receive POST requests when events occur.
- Event subscriptions - Select which tables and actions (create, update, delete) should trigger the webhook. If no subscriptions are added, the webhook receives all events from all tables.
- Signing secret - Auto-generated for each webhook. Used to verify that payloads are authentic (see Verification docs).
How It Works
- A record is created, updated, or deleted (via CMS or API).
- The system checks which webhooks are subscribed to that event.
- A POST request is sent to each matching webhook's URL with the event payload.
- Your endpoint receives the payload and processes it.
Behavior
- Webhooks are fire-and-forget with a 5-second timeout. They never block the API response.
- Failed deliveries are logged in the audit system but not retried.
- Sensitive fields (passwords, 2FA secrets) are automatically stripped from the record payload.
Next Steps
- Payloads & Events - Payload format, headers, and event naming conventions.
- Verification - How to verify webhook signatures with your signing secret.
