Webhooks API
Subscribe to real-time event notifications via webhooks
Webhooks API
Webhooks deliver real-time notifications when events occur in Rhumby. Subscribe to registration updates, result changes, and other events to keep your systems in sync.
How Webhooks Work
- Create a webhook with your endpoint URL and event subscriptions
- Save the signing secret (shown only once, like API keys)
- Rhumby sends HTTP POST requests to your endpoint when subscribed events occur
- Verify the signature using the secret to ensure authenticity
- Respond with 2xx status code to acknowledge receipt
Webhook Format
All webhook payloads include:
{
"id": "evt_msg_abc123",
"event": "registration.created",
"createdAt": "2026-03-29T16:00:00Z",
"data": {
// Event-specific payload
}
}Endpoints
/api/v1/webhooksList webhooks for your organization
/api/v1/webhooksCreate a new webhook subscription
/api/v1/webhooks/:idGet webhook details
/api/v1/webhooks/:idUpdate webhook configuration
/api/v1/webhooks/:idDelete a webhook subscription
All webhook endpoints require the admin scope on your API key. Only organization admins can manage webhooks.
List Webhooks
Retrieve all webhook subscriptions for your organization.
GET /api/v1/webhooksExample Request
curl "https://rhumby.com/api/v1/webhooks" \
-H "Authorization: Bearer rhb_sk_..."Example Response
{
"data": [
{
"id": "whk_abc123",
"url": "https://api.yourapp.com/webhooks/rhumby",
"events": ["registration.created", "registration.updated", "results.updated"],
"active": true,
"lastTriggeredAt": "2026-03-29T10:30:00Z",
"failureCount": 0,
"createdAt": "2026-01-15T09:00:00Z"
},
{
"id": "whk_def456",
"url": "https://discord.com/api/webhooks/123456/token",
"events": ["results.published"],
"active": true,
"lastTriggeredAt": null,
"failureCount": 0,
"createdAt": "2026-02-20T14:00:00Z"
}
]
}| Parameter | Type | Required | Description |
|---|---|---|---|
id | string | No | Unique webhook identifier |
url | string | No | Webhook endpoint URL |
events | array | No | Array of subscribed event types |
active | boolean | No | Whether the webhook is active |
lastTriggeredAt | string | No | ISO 8601 timestamp of last successful delivery (null if never triggered) |
failureCount | number | No | Consecutive failed delivery attempts. Resets on successful delivery. |
createdAt | string | No | ISO 8601 timestamp of webhook creation |
idstringOptionalUnique webhook identifier
urlstringOptionalWebhook endpoint URL
eventsarrayOptionalArray of subscribed event types
activebooleanOptionalWhether the webhook is active
lastTriggeredAtstringOptionalISO 8601 timestamp of last successful delivery (null if never triggered)
failureCountnumberOptionalConsecutive failed delivery attempts. Resets on successful delivery.
createdAtstringOptionalISO 8601 timestamp of webhook creation
The signing secret is never returned in list or get responses. It is shown only once during creation.
Create Webhook
Subscribe to events by creating a new webhook.
POST /api/v1/webhooksRequest Body
| Parameter | Type | Required | Description |
|---|---|---|---|
url | string | Yes | Webhook endpoint URL. Must use HTTPS in production. |
events | array | Yes | Array of event types to subscribe to. Must include at least one event. |
urlstringRequiredWebhook endpoint URL. Must use HTTPS in production.
eventsarrayRequiredArray of event types to subscribe to. Must include at least one event.
Example Request
curl -X POST "https://rhumby.com/api/v1/webhooks" \
-H "Authorization: Bearer rhb_sk_..." \
-H "Content-Type: application/json" \
-d '{
"url": "https://api.yourapp.com/webhooks/rhumby",
"events": ["registration.created", "registration.updated", "results.updated"]
}'Example Response
{
"data": {
"id": "whk_abc123",
"url": "https://api.yourapp.com/webhooks/rhumby",
"events": ["registration.created", "registration.updated", "results.updated"],
"active": true,
"createdAt": "2026-03-29T16:00:00Z",
"secret": "whsec_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0"
},
"message": "Webhook created. Save the secret — it will not be shown again."
}The secret is returned only in this response. Store it securely. You need it to verify webhook signatures.
Get Webhook
Retrieve details about a specific webhook. The secret is not included.
GET /api/v1/webhooks/:idExample Request
curl "https://rhumby.com/api/v1/webhooks/whk_abc123" \
-H "Authorization: Bearer rhb_sk_..."Example Response
{
"data": {
"id": "whk_abc123",
"url": "https://api.yourapp.com/webhooks/rhumby",
"events": ["registration.created", "registration.updated", "results.updated"],
"active": true,
"lastTriggeredAt": "2026-03-29T10:30:00Z",
"failureCount": 0,
"createdAt": "2026-01-15T09:00:00Z"
}
}Update Webhook
Update webhook URL, events, or active status.
PATCH /api/v1/webhooks/:idRequest Body
| Parameter | Type | Required | Description |
|---|---|---|---|
url | string | No | New webhook endpoint URL (must use HTTPS in production) |
events | array | No | Updated event subscription list (replaces existing events) |
active | boolean | No | Enable or disable the webhook |
urlstringOptionalNew webhook endpoint URL (must use HTTPS in production)
eventsarrayOptionalUpdated event subscription list (replaces existing events)
activebooleanOptionalEnable or disable the webhook
Example Request
curl -X PATCH "https://rhumby.com/api/v1/webhooks/whk_abc123" \
-H "Authorization: Bearer rhb_sk_..." \
-H "Content-Type: application/json" \
-d '{
"active": false
}'Example Response
{
"data": {
"id": "whk_abc123",
"url": "https://api.yourapp.com/webhooks/rhumby",
"events": ["registration.created", "registration.updated", "results.updated"],
"active": false,
"lastTriggeredAt": "2026-03-29T10:30:00Z",
"failureCount": 0,
"createdAt": "2026-01-15T09:00:00Z"
},
"message": "Webhook updated successfully"
}Setting active: false pauses webhook delivery without deleting the subscription. Deliveries resume when you set it back to true.
Delete Webhook
Permanently delete a webhook subscription.
DELETE /api/v1/webhooks/:idExample Request
curl -X DELETE "https://rhumby.com/api/v1/webhooks/whk_abc123" \
-H "Authorization: Bearer rhb_sk_..."Example Response
{
"message": "Webhook deleted successfully"
}Deleted webhooks cannot be recovered. Create a new webhook if you need to re-subscribe.
Event Types
Subscribe to any combination of these event types:
Registration Events
registration.created— New sailor registration submittedregistration.updated— Registration details changed (boat, crew, etc.)registration.cancelled— Sailor withdrew from event
Results Events
results.updated— Race results posted or updatedresults.published— Results officially published (no longer provisional)standings.updated— Series or event standings recalculated
Event Management
event.created— New event/regatta createdevent.updated— Event details changed (dates, venue, registration status)race.scheduled— New race added to schedulerace.started— Race start time recordedrace.completed— Race finish recorded
See Webhook Delivery for detailed event payload examples.
Delivery & Retries
- Timeout: Rhumby waits up to 10 seconds for a 2xx response
- Retries: Failed deliveries retry up to 3 times with exponential backoff (1s, 5s, 30s)
- Auto-disable: After 10 consecutive failures, webhooks are automatically deactivated
- Headers: Each delivery includes:
X-Rhumby-Signature— HMAC-SHA256 signature for verificationX-Rhumby-Event— Event type (e.g.,registration.created)X-Rhumby-Delivery— Unique delivery ID
Your endpoint must respond with a 2xx status code within 10 seconds. Avoid long-running processing in the webhook handler — queue jobs instead.
Signature Verification
Always verify webhook signatures to ensure requests are from Rhumby:
const crypto = require('crypto');
function verifySignature(payload, signature, secret) {
const hmac = crypto.createHmac('sha256', secret);
hmac.update(payload);
const expected = 'sha256=' + hmac.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}
// Express.js example
app.post('/webhooks/rhumby', (req, res) => {
const signature = req.headers['x-rhumby-signature'];
const payload = JSON.stringify(req.body);
if (!verifySignature(payload, signature, process.env.WEBHOOK_SECRET)) {
return res.status(401).send('Invalid signature');
}
// Process webhook event
const { event, data } = req.body;
console.log('Received event:', event, data);
res.status(200).send('OK');
});See Webhook Signatures for examples in other languages.
Best Practices
Security
- Always verify signatures before processing webhook data
- Use HTTPS endpoints in production (enforced by the API)
- Rotate secrets if compromised by deleting and recreating the webhook
- Validate event types before processing to avoid unexpected events
Reliability
- Respond quickly — Acknowledge receipt with 2xx immediately, then queue processing
- Implement idempotency using the
idfield to handle duplicate deliveries - Monitor
failureCount— High counts indicate endpoint issues - Use
active: falseto pause deliveries during maintenance instead of deleting
Development
- Use webhook proxies like ngrok or webhookrelay.com for local testing
- Test with real events in a staging organization before deploying to production
- Log all deliveries including headers and payload for debugging
Related
- Webhook Delivery — Detailed event payload examples
- Webhook Signatures — Signature verification in multiple languages
- Webhooks Overview — High-level webhook concepts
- API Keys — Create an API key with
adminscope to manage webhooks