curl --request POST \
  --url https://spectrum.photon.codes/projects/{projectId}/webhooks/ \
  --header 'Content-Type: application/json' \
  --data '
{
  "webhookUrl": "<string>"
}
'

{
  "succeed": true,
  "data": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "webhookUrl": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "signingSecret": "<string>"
  }
}

webhooks

Register webhook

Registers a destination URL for the authenticated project. The response contains a fresh signingSecret (64 lowercase hex characters) — save it now; it is returned only here and cannot be retrieved later.

Delivery format

Each event is delivered as an HTTP POST to your URL with these headers:

Header	Meaning
`X-Spectrum-Event`	Event type (e.g. `messages`).
`X-Spectrum-Webhook-Id`	The id of this webhook, useful when you have multiple registered.
`X-Spectrum-Timestamp`	UNIX epoch seconds at signing time.
`X-Spectrum-Signature`	`v0=<hex>` — the signature you must verify (see below).

Verifying the signature

Compute the HMAC-SHA256 of the string v0:{X-Spectrum-Timestamp}:{rawBody} keyed by your signingSecret, render it as lowercase hex, prefix with v0=, and compare in constant time against X-Spectrum-Signature. The signed input is the exact request body bytes — do not re-serialize the JSON before hashing.

sig = 'v0=' + hmacSha256Hex(signingSecret, 'v0:' + timestamp + ':' + rawBody)

For replay protection, also reject deliveries whose X-Spectrum-Timestamp differs from your current clock by more than ~5 minutes.

Errors

Returns 409 if an active webhook with the same URL is already registered for this project. Registering a URL that was previously deleted is allowed and yields a new webhook with a new signing secret.

Requires Authorization: Basic base64(projectId:projectSecret).

POST

projects

{projectId}

webhooks

curl --request POST \
  --url https://spectrum.photon.codes/projects/{projectId}/webhooks/ \
  --header 'Content-Type: application/json' \
  --data '
{
  "webhookUrl": "<string>"
}
'

{
  "succeed": true,
  "data": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "webhookUrl": "<string>",
    "createdAt": "2023-11-07T05:31:56Z",
    "updatedAt": "2023-11-07T05:31:56Z",
    "signingSecret": "<string>"
  }
}

Path Parameters

projectId

string<uuid>

required

Pattern:

^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$

Body

webhookUrl

string<uri>

required

Response

200 - application/json

Response for status 200

succeed

boolean

required

data

object

required

Show child attributes

List webhooks

Delete webhook

⌘I

Spectrum API

Documentation Index

Path Parameters

Body

Response