Skip to main content
Webhook endpoints can also be managed in the KeyStone Dashboard under Settings > Webhooks - no code required.

create

Create a webhook endpoint. The signing secret is auto-generated and only returned on creation.

Event patterns


list / get

WebhookEndpointRead


update


delete


test

Send a test.ping event to verify delivery works.

rotateSecret

Rotate the signing secret. The previous secret stays valid for 24 hours so you can update your handler without downtime.

listDeliveries

View delivery attempt history for an endpoint.

WebhookDeliveryLogRead


verifySignature

Verify a webhook signature locally. This is a synchronous operation - no API call.
Use express.raw() (not express.json()) so the middleware receives the raw body for signature verification. Parsing the body before verification can change whitespace and break the signature.
The signature is computed as HMAC-SHA256(webhook_secret, raw_body) and sent in the X-Keystone-Signature header as a hex string. During secret rotation, the previous secret’s signature is sent in X-Keystone-Signature-Previous.