Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.usehasp.com/llms.txt

Use this file to discover all available pages before exploring further.

Manage outbound webhook endpoints programmatically. All three endpoints require the control:webhooks scope. Webhooks registered here are the same endpoints visible in the Webhooks page of each app in the dashboard. Creating one via the API is equivalent to clicking Add endpoint in the UI — they share the same delivery infrastructure. For information on the events that are delivered and how to verify signatures, see Outbound Webhooks.

List webhook endpoints

GET https://api.usehasp.com/v1/webhooks
Authorization: Bearer wa_live_...
Returns all non-deleted webhook endpoints across every app in your org.

Response

{
  "success": true,
  "data": [
    {
      "id": "01JQWH0000000000000000000",
      "app_id": "01JQAPP00000000000000000",
      "url": "https://example.com/hooks/hasp",
      "events": ["record.created", "record.updated"],
      "is_active": true,
      "description": "Production record sync",
      "created_at": "2026-05-01T10:00:00+00:00"
    }
  ]
}
The signing secret is never returned in list or detail responses — it is returned once at creation time only.

Create a webhook endpoint

POST https://api.usehasp.com/v1/webhooks
Authorization: Bearer wa_live_...
Content-Type: application/json

Body

{
  "app_id": "01JQAPP00000000000000000",
  "url": "https://example.com/hooks/hasp",
  "events": ["record.created", "record.updated"],
  "description": "Production record sync"
}
FieldTypeRequiredDescription
app_idstringYesULID of the app to attach this endpoint to. Must belong to your org.
urlstringYesHTTPS destination URL. Max 2048 characters. Private/internal IPs and localhost are rejected.
eventsarrayYesOne or more event strings. Must be non-empty.
descriptionstringNoHuman-readable label. Max 255 characters.
Valid events: record.created, record.updated, record.deleted, record.bulk_created, schema.updated

Response (201)

{
  "success": true,
  "data": {
    "id": "01JQWH0000000000000000000",
    "app_id": "01JQAPP00000000000000000",
    "url": "https://example.com/hooks/hasp",
    "events": ["record.created", "record.updated"],
    "is_active": true,
    "description": "Production record sync",
    "created_at": "2026-05-02T10:00:00+00:00",
    "secret": "a3f9c2d8..."
  }
}
data.secret is the HMAC-SHA256 signing secret. This is the only time it is returned. Store it securely — it cannot be retrieved again. To replace it, delete the endpoint and create a new one (or use the dashboard’s Rotate secret button, which has a 7-day grace period for the old secret).

Delete a webhook endpoint

DELETE https://api.usehasp.com/v1/webhooks/{endpoint_id}
Authorization: Bearer wa_live_...
Soft-deletes the endpoint. In-flight deliveries that are already queued will still attempt delivery; new events will not be dispatched. Endpoints belonging to a different org return 404.

Response

{
  "success": true,
  "data": {
    "id": "01JQWH0000000000000000000"
  }
}

Error codes

CodeHTTPDescription
INVALID_API_KEY401Caller’s key is invalid or revoked
MISSING_SCOPE403Key lacks control:webhooks scope
VALIDATION_FAILED422Invalid URL, empty events array, or unknown event type
RESOURCE_NOT_FOUND404Endpoint ID not found or app belongs to another org