Skip to main content
POST
/
api
/
webhooks
Create Webhook
curl --request POST \
  --url https://app.opencomputer.dev/api/webhooks \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "url": "<string>",
  "eventTypes": [
    "<string>"
  ],
  "sandboxId": "<string>",
  "secret": "<string>",
  "name": "<string>",
  "enabled": true
}
'
{
  "id": "whk_3f9a2c",
  "name": "prod",
  "url": "https://app.example.com/oc-webhook",
  "eventTypes": ["sandbox.stopped"],
  "sandboxId": null,
  "enabled": true,
  "hasSecret": true,
  "secret": "whsec_Hk9…",
  "createdAt": "2026-06-24T12:00:00Z",
  "updatedAt": "2026-06-24T12:00:00Z"
}
Register a webhook destination for sandbox lifecycle events. See Webhooks.
url
string
required
HTTPS endpoint to deliver to. (SSRF protection is applied by the delivery provider at send time, not at registration.)
eventTypes
string[]
Event-type allow-list — exact (sandbox.stopped) or prefix (sandbox.*). Default: all event types. Types outside the sandbox taxonomy are rejected with 400.
sandboxId
string
Scope to a single sandbox. Omit to receive events for all of the org’s sandboxes.
secret
string
Signing secret. Omit and one is generated (whsec_…). The secret is returned in the create response and is re-fetchable any time via GET /api/webhooks/{id}/secret.
name
string
Optional display name for the destination.
enabled
boolean
Whether the destination is active. Default true. false pauses delivery.
Idempotency-Key
string
Optional. A retried create with the same key and same body returns the same destination (200) instead of a duplicate. Reusing the key with a different body is a 409 conflict.
Without an Idempotency-Key, each call creates a new destination and returns 201 — there is no get-or-create by name. With one, a retried call returns the same destination with 200. Validation (all 400): url must be HTTPS; each eventTypes entry must be a known sandbox event type or a prefix.* wildcard.
{
  "id": "whk_3f9a2c",
  "name": "prod",
  "url": "https://app.example.com/oc-webhook",
  "eventTypes": ["sandbox.stopped"],
  "sandboxId": null,
  "enabled": true,
  "hasSecret": true,
  "secret": "whsec_Hk9…",
  "createdAt": "2026-06-24T12:00:00Z",
  "updatedAt": "2026-06-24T12:00:00Z"
}