FEATURES

Webhooks

Outbound signed HTTP callbacks for tests, events, and chatbot private actions.

Overview

Outbound signed HTTP callbacks for tests, events, and chatbot private actions.

Who should use this

Integrators syncing StartupCore events into their systems.

Core concepts

You register HTTPS endpoints; StartupCore signs body with shared secret. Action workflows call your API during chat.

Setup

POST /webhooks with url + eventTypes → store secret → verify X-StartupCore-Signature on receive.

Required entitlement

webhooks

Required permissions

webhook.view, webhook.manage.

REST API

CRUD /tenants/{id}/webhooks, POST .../test, POST .../rotate-secret.

SDK (@startupcore/api-client)

startupCore.webhooks.list(tenantId), .create(tenantId, { url, eventTypes }), .test(tenantId, webhookId).

React components

<WebhookEndpointTable />, <WebhookEndpointForm />, <WebhookTestPanel />.

Webhooks

Headers: X-StartupCore-Signature, X-StartupCore-Timestamp, X-StartupCore-Tenant-Id, X-StartupCore-Environment-Id, X-StartupCore-Action-Id, Idempotency-Key.

Security notes

HTTPS only; reject timestamps older than 5 minutes.

Troubleshooting

Signature mismatch — use raw body and timestamp.payload format.