Webhook endpoints can also be managed in the KeyStone Dashboard under Settings > Webhooks - no code required.
create
Create a webhook endpoint. The signing secret is auto-generated and only returned on creation.Event patterns
list / get
WebhookEndpointRead
update
delete
test
Send atest.ping event to verify delivery works.
rotateSecret
Rotate the signing secret. The previous secret stays valid for 24 hours so you can update your handler without downtime.listDeliveries
View delivery attempt history for an endpoint.WebhookDeliveryLogRead
verifySignature
Verify a webhook signature locally. This is a synchronous operation - no API call.Use
express.raw() (not express.json()) so the middleware receives the raw body for signature verification. Parsing the body before verification can change whitespace and break the signature.HMAC-SHA256(webhook_secret, raw_body) and sent in the X-Keystone-Signature header as a hex string. During secret rotation, the previous secret’s signature is sent in X-Keystone-Signature-Previous.