Skip to main content
Webhooks let ErynoaGroup notify your application in real time when events occur. Use these endpoints to manage your webhook subscriptions programmatically, or configure them through your dashboard.

Webhook object

{
  "id": "wh_01HX4K9Z2QBZJMFR5T6VWYP8D",
  "url": "https://your-app.com/webhook",
  "events": ["resource.created", "resource.updated"],
  "status": "active",
  "secret": "whsec_...",
  "created_at": "2024-01-15T10:30:00Z"
}

Event types

EventTriggered when
resource.createdA new resource is created
resource.updatedA resource’s attributes are changed
resource.deletedA resource is deleted
resource.status_changedA resource’s status changes

List webhooks

GET /v1/webhooks
Example: 
curl -X GET https://api.erynoa.group/v1/webhooks \
  -H "Authorization: Bearer YOUR_API_KEY"

Create a webhook

POST /v1/webhooks
url
string
required
The HTTPS URL that receives event payloads. Must be publicly accessible.
events
array
required
List of event types to subscribe to. Use ["*"] to subscribe to all events.
Example: 
curl -X POST https://api.erynoa.group/v1/webhooks \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-app.com/webhook",
    "events": ["resource.created", "resource.updated"]
  }'
Response: 201 Created — includes a secret field (shown only once) for signature verification.

Delete a webhook

DELETE /v1/webhooks/{id}
Example: 
curl -X DELETE https://api.erynoa.group/v1/webhooks/wh_01HX4K9Z2QBZJMFR5T6VWYP8D \
  -H "Authorization: Bearer YOUR_API_KEY"

Webhook payload structure

Every event payload follows this structure: 
{
  "id": "evt_01HX9P3NXVQMJRFT8K2BWYC7E",
  "type": "resource.created",
  "created_at": "2024-01-15T11:00:00Z",
  "data": {
    "object": {
      "id": "res_01HX9P3NXVQMJRFT8K2BWYC7E",
      "type": "resource",
      "status": "active",
      "name": "My Resource",
      "created_at": "2024-01-15T11:00:00Z"
    }
  }
}

Verifying webhook signatures

ErynoaGroup signs each payload using HMAC-SHA256 with your webhook secret. The signature is in the X-Erynoa-Signature header. 
import hmac
import hashlib

def verify_webhook_signature(raw_body: bytes, secret: str, signature: str) -> bool:
    expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature)
Always verify the signature before processing a webhook payload. Skipping verification opens your endpoint to spoofed events.