FEATURES
Webhooks
Outbound signed HTTP callbacks for tests, events, and chatbot private actions.
Overview
Outbound signed HTTP callbacks for tests, events, and chatbot private actions.
Who should use this
Integrators syncing StartupCore events into their systems.
Core concepts
You register HTTPS endpoints; StartupCore signs body with shared secret. Action workflows call your API during chat.
Setup
POST /webhooks with url + eventTypes → store secret → verify X-StartupCore-Signature on receive.
Required entitlement
webhooks
Required permissions
webhook.view, webhook.manage.
REST API
CRUD /tenants/{id}/webhooks, POST .../test, POST .../rotate-secret.
SDK (@startupcore/api-client)
startupCore.webhooks.list(tenantId), .create(tenantId, { url, eventTypes }), .test(tenantId, webhookId).
React components
<WebhookEndpointTable />, <WebhookEndpointForm />, <WebhookTestPanel />.
Webhooks
Headers: X-StartupCore-Signature, X-StartupCore-Timestamp, X-StartupCore-Tenant-Id, X-StartupCore-Environment-Id, X-StartupCore-Action-Id, Idempotency-Key.
Security notes
HTTPS only; reject timestamps older than 5 minutes.
Troubleshooting
Signature mismatch — use raw body and timestamp.payload format.