> ## Documentation Index
> Fetch the complete documentation index at: https://docs.timbrix.mx/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Webhook

> Creates a webhook endpoint for receiving events. Only OWNERS and ADMINS can create webhooks.

Creates a webhook endpoint for receiving events. Only OWNERS and ADMINS can create webhooks.

## Authentication

This endpoint requires authentication via Bearer token:

* **Authorization**: `Bearer <token>`

## Path Parameters

| Parameter        | Type          | Required | Description     |
| ---------------- | ------------- | -------- | --------------- |
| `organizationId` | string (UUID) | Yes      | Organization ID |

## Request Body

| Field    | Type   | Required | Description                                    |
| -------- | ------ | -------- | ---------------------------------------------- |
| `url`    | string | Yes      | Webhook endpoint URL (must be valid HTTPS URL) |
| `events` | array  | Yes      | Array of event types to subscribe to           |

## Available Events

Subscribe to any of these events:

* **Organization**: `organization.created`, `organization.updated`, `organization.deleted`
* **Members**: `member.added`, `member.removed`, `member.role_updated`
* **Invites**: `invite.created`, `invite.accepted`, `invite.cancelled`
* **OAuth**: `oauth_app.created`, `oauth_app.revoked`
* **Webhooks**: `webhook.created`

## Permissions

Only **OWNERS** and **ADMINS** can create webhooks.

## Example Request

```bash theme={null}
curl -X POST http://localhost:3001/api/organizations/550e8400-e29b-41d4-a716-446655440000/webhooks \
  -H "Authorization: Bearer <your_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://example.com/webhooks",
    "events": ["organization.created", "member.added"]
  }'
```

## Example Response

```json theme={null}
{
  "id": "123e4567-e89b-12d3-a456-426614174000",
  "organizationId": "550e8400-e29b-41d4-a716-446655440000",
  "url": "https://example.com/webhooks",
  "events": ["organization.created", "member.added"],
  "isActive": true,
  "secret": "whsec_1234567890abcdef",
  "createdAt": "2025-01-26T10:00:00Z",
  "updatedAt": "2025-01-26T10:00:00Z"
}
```

**⚠️ Important**: Save the `secret` value - it's only returned once and used for signature verification.

## Webhook Payload

Your endpoint will receive POST requests with this format:

```json theme={null}
{
  "event": "member.added",
  "organization": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "slug": "acme-corp",
    "name": "Acme Corp"
  },
  "data": { ... },
  "timestamp": "2025-12-26T10:00:00Z"
}
```

## Signature Verification

All webhook requests include an HMAC SHA-256 signature in the `X-Webhook-Signature` header for verification.

```javascript theme={null}
const crypto = require('crypto')

function verifySignature(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret)
  const digest = hmac.update(payload).digest('hex')
  return digest === signature
}
```

## Retry Logic

Failed webhook deliveries are retried up to **3 times** with exponential backoff (1s, 5s, 30s).

## Common Errors

### 400 Bad Request

Invalid input data.

```json theme={null}
{
  "statusCode": 400,
  "message": ["url must be a valid URL", "events must be an array"]
}
```

### 401 Unauthorized

Authentication required.

```json theme={null}
{
  "statusCode": 401,
  "message": "Authentication required. Provide a valid bearer token."
}
```

### 403 Forbidden

Only owners and admins can create webhooks.

```json theme={null}
{
  "statusCode": 403,
  "message": "Access denied. Only owners and admins can create webhooks."
}
```


## OpenAPI

````yaml POST /organizations/{organizationId}/webhooks
openapi: 3.1.0
info:
  title: Timbrix API
  description: >-
    REST API with OAuth2 server for managing organizations, members, and
    webhooks
  version: '1.0'
  contact: {}
servers:
  - url: http://sandbox.mintlify.com
    description: Sandbox environment
  - url: http://localhost:3001/api
    description: Local development
security: []
tags:
  - name: organizations
    description: Organization management endpoints
  - name: oauth
    description: OAuth2 authentication and authorization
  - name: webhooks
    description: Webhook configuration and delivery
  - name: users
    description: User information endpoints
  - name: api-keys
    description: API Keys management and validation
paths:
  /organizations/{organizationId}/webhooks:
    post:
      tags:
        - webhooks
      summary: Create a new webhook
      description: >-
        Creates a webhook endpoint for receiving events. Only OWNERS and ADMINS
        can create webhooks.
      operationId: WebhooksController_create
      parameters:
        - name: organizationId
          required: true
          in: path
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateWebhookDto'
      responses:
        '201':
          description: >-
            Webhook created successfully. Returns webhook configuration with
            signing secret.
        '400':
          description: Invalid input data. Check URL format and event types.
        '401':
          description: Authentication required. Provide a valid bearer token.
        '403':
          description: Access denied. Only owners and admins can create webhooks.
      security:
        - bearer: []
components:
  schemas:
    CreateWebhookDto:
      type: object
      properties:
        url:
          type: string
          description: Webhook endpoint URL
          example: https://example.com/webhooks
        events:
          type: array
          description: Events to subscribe to
          example:
            - organization.created
            - organization.updated
          items:
            type: string
            enum:
              - organization.created
              - organization.updated
              - organization.deleted
              - member.added
              - member.removed
              - member.role_updated
              - invite.created
              - invite.accepted
              - invite.cancelled
              - oauth_app.created
              - oauth_app.revoked
              - webhook.created
      required:
        - url
        - events
  securitySchemes:
    bearer:
      scheme: bearer
      bearerFormat: JWT
      type: http

````