Webhooks
Endpoint management
Inspect, modify, and remove webhook endpoints.
All endpoints take a secret API key (hpn_live_sk_*) with the webhooks:manage scope, or a signed-in dashboard session.
List
Bash
GET /v1/webhooksGet one
Bash
GET /v1/webhooks/{webhook_id}Update
Bash
PUT /v1/webhooks/{webhook_id}
Content-Type: application/json
{
"url": "https://new-server.com/webhooks/harpoon",
"events": ["transaction.completed", "transaction.failed"]
}| Field | Type | Description |
|---|---|---|
url | string | New URL (HTTPS) |
events | array | New event subscription list |
description | string | Label |
is_active | boolean | false pauses delivery without deleting |
Delete
Bash
DELETE /v1/webhooks/{webhook_id}Re-creating an endpoint generates a new signing secret.
Test
Bash
POST /v1/webhooks/{webhook_id}/testSends a sample payload through the same delivery path as a real event.
Reveal the signing secret
Dashboard only — Settings → Webhooks → Reveal Secret. Requires re-entering your password. API keys are refused.
Bash
POST /v1/webhooks/{webhook_id}/secret
Authorization: Bearer <dashboard-jwt>
Content-Type: application/json
{ "password": "your-account-password" }Rate-limited to 5 attempts per 15 minutes per user.
Rotating secrets
Secret rotation in place isn’t supported. Create a new endpoint, switch your verifier over, then delete the old one.