Skip to content

How do I set up a webhook?

Requires Elite

Open Administration → Webhooks, click “Create webhook”, and provide a name, target URL, and the subscribed events (comma-separated, e.g., asset.created). After saving, Notory shows the signing secret exactly once — save it right away. With “Send test” you send a signed ping event and immediately see whether your endpoint responds.

Your receiver must accept an HTTP POST with JSON, respond with a 2xx status within 10 seconds, and should verify the signature.

  1. Open Webhooks. Administration → Webhooks (“Send signed HTTP callbacks to external systems when events occur. The secret is shown only once.”).

    The tenant's webhook management (from the Elite plan).
  2. Create a webhook. Click “Create webhook” and fill in:

    • Name — e.g., “Ticket System”.
    • URL — the HTTPS endpoint of your system.
    • Events (comma-separated) — e.g., asset.created (the available events: What events are there?).
  3. Save the secret. After saving, you’ll see: “Signing secret – copy it now, it will not be shown again:”. Store it in your receiver’s secret store — you’ll need it for signature verification.

    The signing secret appears exactly once — right after creation.
  4. Test it. Click “Send test”: Notory sends a signed ping event to your URL and immediately shows the result (status code or error).

    'Send test' sends a signed ping event and logs the result.
  • Secret generated server-side. Notory itself creates the signing secret (32 random, URL-safe bytes) — you can’t supply your own. It’s used for the HMAC-SHA256 signature of every delivery and is never output again after the creation response. Lost the secret? Delete the webhook and create a new one (rotation).
  • Tenant-bound and active immediately. The webhook belongs to your tenant and is created with active: true. It only receives events belonging to its tenant — and only those listed in its event list.
  • No edit endpoint. Changing the URL or event list = delete the webhook and create a new one (this generates a new secret — update your receiver!).
  • Delivered in the background. Events are delivered best-effort after the actual action (the triggering API response doesn’t wait for your server). Every delivery is recorded with its status code or error in the delivery log.
  • ping for verification. The test delivery is a regular, signed event (X-Webhook-Event: ping) with {"message": "test delivery"} — ideal for developing your signature verification.