> ## Documentation Index
> Fetch the complete documentation index at: https://docs.closient.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Update a webhook endpoint

> Partial update — every field on the request body is optional and omitted fields are left untouched. ``metadata`` follows Stripe-style merge semantics (``{}``/``null`` clears, empty-string values delete a key). The signing secret cannot be rotated through this endpoint; use the dedicated rotate-secret endpoint instead.



## OpenAPI

````yaml /openapi/openapi-integrations.json patch /integrations/api/v1/webhooks/endpoints/{endpoint_id}/
openapi: 3.1.0
info:
  title: Integrations API
  version: 1.0.0
  description: >
    Webhook endpoint management and delivery tracking.


    ## Authentication


    All endpoints require an API key passed via the `X-API-Key` HTTP header,
    unless otherwise noted.


    ```

    X-API-Key: csb_<body>_<checksum>

    ```


    Generate API keys in **Settings > API Keys** in your dashboard, or via the
    Account API.

    Session-based (cookie) authentication is also accepted for browser-based
    access.


    ## Rate Limits


    | Tier        | Requests / minute | Requests / day |

    |-------------|-------------------|----------------|

    | Default     | 300               | 10,000         |

    | Custom      | Contact us        | Contact us     |


    Rate-limit headers are included on every response so callers can
    self-throttle without

    hitting our 429s ("informed governor"):


    - `RateLimit-Policy` — every active window, e.g. `300;w=60, 10000;w=86400`

    - `RateLimit-Limit` — quota for the **most-restrictive** currently-active
    window

    - `RateLimit-Remaining` — requests left in that window

    - `RateLimit-Reset` — seconds until that window resets (relative; clock-skew
    safe)


    Legacy `X-RateLimit-*` aliases are also emitted for back-compat.
    `X-RateLimit-Reset`

    keeps the absolute Unix-timestamp shape to avoid breaking existing
    consumers.


    When rate-limited, you receive `429 Too Many Requests` with a
    `retry_after_seconds` field

    in the error envelope and a `Retry-After` header.


    ## Pagination


    List endpoints return paginated results in this envelope:


    ```json

    {
      "data": [...],
      "pagination": {
        "page": 1,
        "page_size": 25,
        "total_count": 342,
        "total_pages": 14,
        "has_next": true,
        "has_previous": false
      }
    }

    ```


    Use `?page=2&page_size=50` query parameters. Maximum page size is 100.


    ## Error Responses


    All errors conform to [RFC 9457 Problem
    Details](https://www.rfc-editor.org/rfc/rfc9457)

    with `Content-Type: application/problem+json`:


    ```json

    {
      "type": "https://closient.com/docs/errors/not_found",
      "title": "Not Found",
      "status": 404,
      "detail": "The requested resource was not found.",
      "error_code": "not_found",
      "retryable": false,
      "timestamp": "2026-03-31T12:00:00+00:00"
    }

    ```


    Common error codes: `unauthorized` (401), `forbidden` (403), `not_found`
    (404),

    `validation_error` (422), `rate_limited` (429), `internal_error` (500).
  termsOfService: https://www.closient.com/terms/
servers:
  - url: https://www.closient.com
security: []
tags:
  - name: Webhook Endpoints
    description: Register and manage webhook delivery endpoints.
  - name: Webhook Deliveries
    description: Track and replay webhook delivery attempts.
externalDocs:
  description: Closient Documentation
  url: https://docs.closient.com
paths:
  /integrations/api/v1/webhooks/endpoints/{endpoint_id}/:
    patch:
      tags:
        - Webhook Endpoints
      summary: Update a webhook endpoint
      description: >-
        Partial update — every field on the request body is optional and omitted
        fields are left untouched. ``metadata`` follows Stripe-style merge
        semantics (``{}``/``null`` clears, empty-string values delete a key).
        The signing secret cannot be rotated through this endpoint; use the
        dedicated rotate-secret endpoint instead.
      operationId: apps_integrations_webhooks_api_update_endpoint_view
      parameters:
        - in: path
          name: endpoint_id
          schema:
            description: >-
              UUID of the webhook endpoint. Returned as the ``id`` field on
              every endpoint response.
            format: shortuuid
            maxLength: 22
            minLength: 22
            pattern: ^[23456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{22}$
            title: Endpoint Id
            type: string
          required: true
          description: >-
            UUID of the webhook endpoint. Returned as the ``id`` field on every
            endpoint response.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/EndpointUpdateSchema'
        required: true
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EndpointResponseSchema'
      security:
        - APIKeyHeaderAuth: []
        - OAuthTokenAuth: []
        - SessionAuth: []
components:
  schemas:
    EndpointUpdateSchema:
      description: |-
        Request body for ``PATCH /webhooks/endpoints/{endpoint_id}/``.

        All fields are optional. Omitted fields are left untouched (Stripe-style
        partial update). ``metadata`` follows the standard Stripe-equivalent
        merge rules — see :class:`MetadataWriteMixin`.
      examples:
        - description: Updated webhook endpoint
          event_types:
            - offer.updated
            - product.recalled
            - retailer.created
          is_active: true
          metadata:
            order_id: '6735'
          url: https://example.com/webhooks/closient-v2
      properties:
        metadata:
          anyOf:
            - additionalProperties:
                type: string
              type: object
            - type: 'null'
          description: >-
            Developer-attached key/value data. Send {} or null to clear.
            Empty-string values delete that key. Omitted keys are preserved.
          title: Metadata
        url:
          anyOf:
            - maxLength: 2048
              type: string
            - type: 'null'
          description: >-
            Target URL the webhook payload will be POSTed to. **HTTPS is
            required in production**; ``http://`` is accepted only by the local
            development server. Maximum 2048 characters. The request body is the
            raw event JSON; the signature lives in the ``X-Closient-Signature``
            header (see ``signing_secret`` for the verification recipe).
          title: Url
        description:
          anyOf:
            - maxLength: 255
              type: string
            - type: 'null'
          description: >-
            Optional human-readable label for this endpoint. Surfaced in the
            brand portal's webhooks list alongside the URL — useful when a
            single account has separate ``staging`` / ``production`` endpoints.
            Maximum 255 characters. Has no effect on delivery.
          title: Description
        event_types:
          anyOf:
            - items:
                type: string
              type: array
            - type: 'null'
          description: >-
            List of event-type strings this endpoint subscribes to. Closient
            only delivers events whose ``event_type`` is in this list; an empty
            list means the endpoint receives nothing (use ``is_active=false``
            for the same effect with clearer intent). Wildcards are not
            supported — list every type explicitly. Examples: ``offer.updated``,
            ``product.recalled``, ``retailer.created``.
          title: Event Types
        is_active:
          anyOf:
            - type: boolean
            - type: 'null'
          description: >-
            Whether this endpoint should receive deliveries. ``false`` pauses
            delivery without deleting historical records or losing the signing
            secret — useful while debugging a customer-side outage. New events
            are not enqueued for inactive endpoints.
          title: Is Active
      title: EndpointUpdateSchema
      type: object
    EndpointResponseSchema:
      description: |-
        A webhook endpoint as read from the API.

        Returned by ``GET /webhooks/endpoints/{endpoint_id}/``, the list view,
        and the rotate-secret/test endpoints. ``signing_secret`` is masked
        except on the initial create response and on the rotate-secret
        response — see :data:`_SIGNING_SECRET_READ_DESC`.
      examples:
        - created_at: '2025-06-15T10:00:00Z'
          description: Production webhook endpoint
          event_types:
            - offer.updated
            - product.recalled
          id: f47ac10b-58cc-4372-a567-0e02b2c3d479
          is_active: true
          metadata:
            order_id: '6735'
          signing_secret: whsec_12...
          updated_at: '2025-08-01T14:30:00Z'
          url: https://example.com/webhooks/closient
      properties:
        metadata:
          additionalProperties:
            type: string
          description: >-
            Developer-attached key/value data attached to this object. Up to 50
            keys; key max 40 chars, value max 500 chars.
          title: Metadata
          type: object
        id:
          description: >-
            UUID identifier of the endpoint. Use this in path params and the
            deliveries-list ``endpoint_id`` filter.
          format: uuid
          title: Id
          type: string
        url:
          description: >-
            Target URL the webhook payload will be POSTed to. **HTTPS is
            required in production**; ``http://`` is accepted only by the local
            development server. Maximum 2048 characters. The request body is the
            raw event JSON; the signature lives in the ``X-Closient-Signature``
            header (see ``signing_secret`` for the verification recipe).
          maxLength: 2048
          title: Url
          type: string
        description:
          default: ''
          description: >-
            Optional human-readable label for this endpoint. Surfaced in the
            brand portal's webhooks list alongside the URL — useful when a
            single account has separate ``staging`` / ``production`` endpoints.
            Maximum 255 characters. Has no effect on delivery.
          maxLength: 255
          title: Description
          type: string
        signing_secret:
          description: >-
            HMAC-SHA256 signing secret for verifying the
            ``X-Closient-Signature`` header on inbound deliveries. Returned **in
            full only on creation and rotation**; subsequent ``GET``/``LIST``
            responses return a masked form (``<first-8-chars>...``).
            Verification recipe: compute ``HMAC-SHA256(secret,
            f"{timestamp}.{raw_body}")`` where ``timestamp`` is the ``t=``
            portion of the header, then ``hmac.compare_digest`` against the
            ``v1=`` portion. Reject if the timestamp is older than 5 minutes
            (replay protection). During a 24-hour rotation grace period the
            header carries an additional ``v1old=`` signature using the prior
            secret — accept either.
          title: Signing Secret
          type: string
        event_types:
          description: >-
            List of event-type strings this endpoint subscribes to. Closient
            only delivers events whose ``event_type`` is in this list; an empty
            list means the endpoint receives nothing (use ``is_active=false``
            for the same effect with clearer intent). Wildcards are not
            supported — list every type explicitly. Examples: ``offer.updated``,
            ``product.recalled``, ``retailer.created``.
          items:
            type: string
          title: Event Types
          type: array
        is_active:
          description: >-
            Whether this endpoint should receive deliveries. ``false`` pauses
            delivery without deleting historical records or losing the signing
            secret — useful while debugging a customer-side outage. New events
            are not enqueued for inactive endpoints.
          title: Is Active
          type: boolean
        created_at:
          description: >-
            Server-side ISO 8601 timestamp (UTC) of when the resource was first
            persisted.
          format: date-time
          title: Created At
          type: string
        updated_at:
          description: >-
            Server-side ISO 8601 timestamp (UTC) of the resource's last
            modification.
          format: date-time
          title: Updated At
          type: string
      required:
        - id
        - url
        - signing_secret
        - is_active
        - created_at
        - updated_at
      title: EndpointResponseSchema
      type: object
  securitySchemes:
    APIKeyHeaderAuth:
      type: apiKey
      in: header
      name: X-API-Key
    OAuthTokenAuth:
      type: http
      scheme: bearer
    SessionAuth:
      type: apiKey
      in: cookie
      name: sessionid

````