Skip to main content
POST
/
webhooks
/
endpoints
Create a webhook endpoint
curl --request POST \
  --url https://api.conduit.financial/v2/webhooks/endpoints \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: <api-key>' \
  --data '
{
  "url": "https://api.example.com/webhooks/conduit",
  "description": "Production webhook receiver",
  "subscription": {
    "mode": "ALL"
  }
}
'
{
  "id": "<string>",
  "url": "https://api.example.com/webhooks/conduit",
  "description": "Production webhook receiver",
  "active": true,
  "subscription": {
    "mode": "ALL"
  },
  "createdAt": "2026-01-15T09:30:00.000Z",
  "updatedAt": "2026-01-15T09:30:00.000Z",
  "secret": "whsec_8f3a2b1c4d5e6f7081928374a5b6c7d8e9f0a1b2c3d4e5f60718293a4b5c6d7e",
  "signature": {
    "algorithm": "hmac-sha256",
    "headerName": "X-Conduit-Signature",
    "headerFormat": "t=<unix-seconds>,v1=<hex-digest>[,v1=<hex-digest>]",
    "signedPayloadFormat": "<unix-seconds>.<raw-request-body>",
    "secretFormat": "whsec_<64-hex>"
  }
}

Authorizations

x-api-key
string
header
required

Body

application/json
url
string<uri>
required

URL where webhook payloads will be delivered. Must be HTTPS; a URL that resolves to a private or reserved address is rejected.

Maximum string length: 2048
Example:

"https://api.example.com/webhooks/conduit"

description
string

Human-readable description of this endpoint's purpose

Maximum string length: 255
Example:

"Production webhook receiver"

subscription
object

Event subscription configuration. Omit or set mode:'ALL' to receive all events.

Example:
{ "mode": "ALL" }

Response

id
string
required

Unique webhook endpoint identifier

Pattern: ^wep_[0-9A-Za-z]{22}$
url
string
required

URL where webhook payloads are delivered

Example:

"https://api.example.com/webhooks/conduit"

description
string | null
required

Human-readable description of this endpoint's purpose

Example:

"Production webhook receiver"

active
boolean
required

Whether this endpoint is currently receiving new deliveries. When false, the endpoint is excluded from event fan-out — no new deliveries are enqueued. In-flight (already-enqueued) deliveries are not cancelled and continue retrying per the normal schedule. Flip back to true via PATCH to resume receiving new deliveries.

Example:

true

subscription
object
required

Event subscription configuration for this endpoint

createdAt
string<date-time>
required

ISO 8601 timestamp

Example:

"2026-01-15T09:30:00.000Z"

updatedAt
string<date-time>
required

ISO 8601 timestamp

Example:

"2026-01-15T09:30:00.000Z"

secret
string
required

Per-endpoint signing secret. Returned only once — when the endpoint is created and again each time its secret is rotated — so store it securely. Format: literal whsec_ prefix + 64 hex chars (see signature.secretFormat). Pass the FULL string verbatim, including the whsec_ prefix, as the HMAC-SHA256 key when verifying incoming X-Conduit-Signature headers — stripping the prefix produces a different digest and every valid delivery fails verification.

Example:

"whsec_8f3a2b1c4d5e6f7081928374a5b6c7d8e9f0a1b2c3d4e5f60718293a4b5c6d7e"

signature
object
required

Signature verification metadata. Same constants apply to every webhook delivery; signing secrets are per-endpoint.