Register webhook
Registers a destination URL for the authenticated project. The response contains a fresh signingSecret (64 lowercase hex characters) — save it now; it is returned only here and cannot be retrieved later.
Delivery format
Each event is delivered as an HTTP POST to your URL with these headers:
| Header | Meaning |
|---|---|
X-Spectrum-Event | Event type (e.g. messages). |
X-Spectrum-Webhook-Id | The id of this webhook, useful when you have multiple registered. |
X-Spectrum-Timestamp | UNIX epoch seconds at signing time. |
X-Spectrum-Signature | v0=<hex> — the signature you must verify (see below). |
Verifying the signature
Compute the HMAC-SHA256 of the string v0:{X-Spectrum-Timestamp}:{rawBody} keyed by your signingSecret, render it as lowercase hex, prefix with v0=, and compare in constant time against X-Spectrum-Signature. The signed input is the exact request body bytes — do not re-serialize the JSON before hashing.
sig = 'v0=' + hmacSha256Hex(signingSecret, 'v0:' + timestamp + ':' + rawBody)
For replay protection, also reject deliveries whose X-Spectrum-Timestamp differs from your current clock by more than ~5 minutes.
Errors
Returns 409 if an active webhook with the same URL is already registered for this project. Registering a URL that was previously deleted is allowed and yields a new webhook with a new signing secret.
Requires Authorization: Basic base64(projectId:projectSecret).
Path Parameters
^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$