Webhooks

Get real-time HTTP POST notifications when things happen in your workspace. Use them to build custom integrations, trigger CI pipelines, or sync data with external tools.

Pro plan Webhooks let you receive real-time HTTP callbacks for workspace events. Upgrade from Billing & Plans.

How It Works

When a subscribed event fires (say, a new post is created), Project Feed sends an HTTP POST to your endpoint with a JSON payload describing what happened. Every delivery includes an HMAC-SHA256 signature so you can verify it came from us.

POST https://your-server.com/webhook
Content-Type: application/json
X-Webhook-Signature: sha256=abc123...
X-Webhook-Timestamp: 1709000000
X-Webhook-Id: del_abc123

{
  "event": "post.created",
  "timestamp": 1709000000000,
  "organization": { "id": "...", "name": "..." },
  "data": { ... }
}

Available Events

Posts

post.createdpost.updatedpost.deletedpost.published

Comments

comment.createdcomment.updatedcomment.deleted

Reactions

reaction.addedreaction.removed

Projects

project.createdproject.updatedproject.deletedproject.archived

Members

member.joinedmember.leftmember.role_changed

Tasks

task.createdtask.updatedtask.deletedtask.completedtask.assignedtask.status_changed

Setup

  1. 1.

    Create a Webhook

    Go to Settings → Developers and click “Add Webhook.” Enter your HTTPS endpoint URL and pick the events you want to subscribe to.

  2. 2.

    Store Your Signing Secret

    A signing secret is generated when the webhook is created. Store it somewhere safe—it’s only shown once. You’ll use it to verify the X-Webhook-Signature header on incoming requests.

  3. 3.

    Send a Test Event

    Click “Test” to fire a sample payload at your endpoint. Check the delivery log to confirm it arrived.

Security

HMAC-SHA256 Signatures

Every delivery is signed with your webhook secret. Compute HMAC-SHA256(secret, "<timestamp>.<id>.<body>") using the values from X-Webhook-Timestamp, X-Webhook-Id, and the raw request body, then compare in constant time to X-Webhook-Signature (strip the sha256= prefix first — the header value is sha256=<hex>, not bare hex). Reject deliveries whose timestamp drifts more than 5 minutes from your server clock to prevent replays.

HTTPS Only

Webhook URLs must use HTTPS. Private and internal IP addresses are blocked to prevent SSRF attacks.

Reliability & Retries

If your endpoint returns a non-2xx status or times out, the delivery is marked as failed. You can retry failed deliveries manually from the webhook settings page.

Circuit breaker: After 10 consecutive failures, the webhook is automatically disabled. Re-enable it from settings once you’ve fixed the issue.

Webhooks API Reference

Create, manage, and test webhooks programmatically via the REST API.