Webhooks
Get real-time HTTP POST notifications when things happen in your workspace. Use them to build custom integrations, trigger CI pipelines, or sync data with external tools.
Pro plan — Webhooks let you receive real-time HTTP callbacks for workspace events. Upgrade from Billing & Plans.
How It Works
When a subscribed event fires (say, a new post is created), Project Feed sends an HTTP POST to your endpoint with a JSON payload describing what happened. Every delivery includes an HMAC-SHA256 signature so you can verify it came from us.
POST https://your-server.com/webhook
Content-Type: application/json
X-Webhook-Signature: sha256=abc123...
X-Webhook-Timestamp: 1709000000
X-Webhook-Id: del_abc123
{
"event": "post.created",
"timestamp": 1709000000000,
"organization": { "id": "...", "name": "..." },
"data": { ... }
}Available Events
Posts
post.createdpost.updatedpost.deletedpost.publishedComments
comment.createdcomment.updatedcomment.deletedReactions
reaction.addedreaction.removedProjects
project.createdproject.updatedproject.deletedproject.archivedMembers
member.joinedmember.leftmember.role_changedTasks
task.createdtask.updatedtask.deletedtask.completedtask.assignedtask.status_changedSetup
- 1.
Create a Webhook
Go to Settings → Developers and click “Add Webhook.” Enter your HTTPS endpoint URL and pick the events you want to subscribe to.
- 2.
Store Your Signing Secret
A signing secret is generated when the webhook is created. Store it somewhere safe—it’s only shown once. You’ll use it to verify the
X-Webhook-Signatureheader on incoming requests. - 3.
Send a Test Event
Click “Test” to fire a sample payload at your endpoint. Check the delivery log to confirm it arrived.
Security
HMAC-SHA256 Signatures
Every delivery is signed with your webhook secret. Compute HMAC-SHA256(secret, "<timestamp>.<id>.<body>") using the values from X-Webhook-Timestamp, X-Webhook-Id, and the raw request body, then compare in constant time to X-Webhook-Signature (strip the sha256= prefix first — the header value is sha256=<hex>, not bare hex). Reject deliveries whose timestamp drifts more than 5 minutes from your server clock to prevent replays.
HTTPS Only
Webhook URLs must use HTTPS. Private and internal IP addresses are blocked to prevent SSRF attacks.
Reliability & Retries
If your endpoint returns a non-2xx status or times out, the delivery is marked as failed. You can retry failed deliveries manually from the webhook settings page.
Circuit breaker: After 10 consecutive failures, the webhook is automatically disabled. Re-enable it from settings once you’ve fixed the issue.
Webhooks API Reference
Create, manage, and test webhooks programmatically via the REST API.