Skip to main content
POST
/
integrations
/
api
/
v1
/
webhooks
/
endpoints
Create a webhook endpoint
curl --request POST \
  --url https://www.closient.com/integrations/api/v1/webhooks/endpoints/ \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "url": "<string>",
  "metadata": {},
  "description": "",
  "event_types": [
    "<string>"
  ],
  "is_active": true
}
'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "url": "<string>",
  "signing_secret": "<string>",
  "is_active": true,
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z",
  "metadata": {},
  "description": "",
  "event_types": [
    "<string>"
  ]
}

Documentation Index

Fetch the complete documentation index at: https://docs.closient.com/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

X-API-Key
string
header
required

Body

application/json

Request body for POST /webhooks/endpoints/.

On create, the response includes the full signing secret — store it immediately on the customer side; subsequent reads return a masked form.

url
string
required

Target URL the webhook payload will be POSTed to. HTTPS is required in production; http:// is accepted only by the local development server. Maximum 2048 characters. The request body is the raw event JSON; the signature lives in the X-Closient-Signature header (see signing_secret for the verification recipe).

Maximum string length: 2048
metadata
Metadata · object

Developer-attached key/value data. Send {} or null to clear. Empty-string values delete that key. Omitted keys are preserved.

description
string
default:""

Optional human-readable label for this endpoint. Surfaced in the brand portal's webhooks list alongside the URL — useful when a single account has separate staging / production endpoints. Maximum 255 characters. Has no effect on delivery.

Maximum string length: 255
event_types
string[]

List of event-type strings this endpoint subscribes to. Closient only delivers events whose event_type is in this list; an empty list means the endpoint receives nothing (use is_active=false for the same effect with clearer intent). Wildcards are not supported — list every type explicitly. Examples: offer.updated, product.recalled, retailer.created.

is_active
boolean
default:true

Whether this endpoint should receive deliveries. false pauses delivery without deleting historical records or losing the signing secret — useful while debugging a customer-side outage. New events are not enqueued for inactive endpoints.

Response

201 - application/json

Created

A webhook endpoint as read from the API.

Returned by GET /webhooks/endpoints/{endpoint_id}/, the list view, and the rotate-secret/test endpoints. signing_secret is masked except on the initial create response and on the rotate-secret response — see :data:_SIGNING_SECRET_READ_DESC.

id
string<uuid>
required

UUID identifier of the endpoint. Use this in path params and the deliveries-list endpoint_id filter.

url
string
required

Target URL the webhook payload will be POSTed to. HTTPS is required in production; http:// is accepted only by the local development server. Maximum 2048 characters. The request body is the raw event JSON; the signature lives in the X-Closient-Signature header (see signing_secret for the verification recipe).

Maximum string length: 2048
signing_secret
string
required

HMAC-SHA256 signing secret for verifying the X-Closient-Signature header on inbound deliveries. Returned in full only on creation and rotation; subsequent GET/LIST responses return a masked form (<first-8-chars>...). Verification recipe: compute HMAC-SHA256(secret, f"{timestamp}.{raw_body}") where timestamp is the t= portion of the header, then hmac.compare_digest against the v1= portion. Reject if the timestamp is older than 5 minutes (replay protection). During a 24-hour rotation grace period the header carries an additional v1old= signature using the prior secret — accept either.

is_active
boolean
required

Whether this endpoint should receive deliveries. false pauses delivery without deleting historical records or losing the signing secret — useful while debugging a customer-side outage. New events are not enqueued for inactive endpoints.

created_at
string<date-time>
required

Server-side ISO 8601 timestamp (UTC) of when the resource was first persisted.

updated_at
string<date-time>
required

Server-side ISO 8601 timestamp (UTC) of the resource's last modification.

metadata
Metadata · object

Developer-attached key/value data attached to this object. Up to 50 keys; key max 40 chars, value max 500 chars.

description
string
default:""

Optional human-readable label for this endpoint. Surfaced in the brand portal's webhooks list alongside the URL — useful when a single account has separate staging / production endpoints. Maximum 255 characters. Has no effect on delivery.

Maximum string length: 255
event_types
string[]

List of event-type strings this endpoint subscribes to. Closient only delivers events whose event_type is in this list; an empty list means the endpoint receives nothing (use is_active=false for the same effect with clearer intent). Wildcards are not supported — list every type explicitly. Examples: offer.updated, product.recalled, retailer.created.