Pre-release — contact your Fortary account team for access.
POST to an HTTPS endpoint you control.
The delivery contract
- At-least-once. The same event can be delivered more than once — deduplicate on the event
id. - Unordered. A retried earlier event can arrive after a later one — order by the event’s
date, never by arrival time. - Signed. Always verify the signature before trusting a payload.
Setting up a webhook
Webhooks can be managed in the Fortary web portal or through the API. When creating one you choose:- Entities — the entity or entities (your organization’s operating units in Fortary) whose events the webhook receives.
- Event types — an explicit list of the event kinds to deliver. There are no wildcards; new kinds are opt-in.
- Vault filter (optional) — restrict vault-scoped events to specific vaults.
- Notification email — where Fortary sends operational notices, for example an automatic disable.
whsec_…) is returned exactly once at creation — store it in your secret manager immediately. A lost secret cannot be retrieved, only rotated. An entity can be covered by at most 20 active webhooks.
Authorization
Webhook reads require thewebhook:read scope; mutations require webhook:manage. Because changing a webhook’s URL redirects custody data, management is restricted to owner-level credentials. A webhook outside the credential’s access returns 404, never 403 — see Authorization.
Operations
| Operation | Path | Description |
|---|---|---|
| Create webhook | POST /v1/webhooks | Create a webhook (returns the signing secret once) |
| List webhooks | GET /v1/webhooks | List webhooks across accessible entities |
| Get webhook | GET /v1/webhooks/{webhookId} | Retrieve a webhook with its health counters |
| Update webhook | PATCH /v1/webhooks/{webhookId} | Update URL, event kinds, vault filter, status, or description |
| Rotate webhook secret | POST /v1/webhooks/{webhookId}/rotate-secret | New secret, returned once; 24-hour grace window |
| Delete webhook | DELETE /v1/webhooks/{webhookId} | Delete a webhook (history retained) |
| Ping webhook | POST /v1/webhooks/{webhookId}/ping | Signed test POST with the live result inline |
| List webhook deliveries | GET /v1/webhooks/{webhookId}/deliveries | Delivery history with per-attempt detail |
| List webhook events | GET /v1/webhook-events | The event log (31-day retention) |
| Get webhook event | GET /v1/webhook-events/{eventId} | Event detail including how many webhooks matched |
| List event deliveries | GET /v1/webhook-events/{eventId}/deliveries | All deliveries of one event |
| Redeliver | POST /v1/webhook-deliveries/{deliveryId}/redeliver | Re-send a delivery’s event |
Your first handler
Capture the raw body, verify the signature, acknowledge immediately, process asynchronously:2xx within 10 seconds.
Guides
- Event types — every event kind, the envelope, and payload examples
- Verifying signatures — the signature scheme with working code
- Delivery & retries — the retry schedule, automatic disabling, and redelivery

