Manage Outgoing Webhooks

Manage outgoing webhook endpoints over the API instead of the Open API → Outgoing Webhooks tab in the CMS. This is the same set of capabilities — create an endpoint, choose the events it subscribes to (optionally filtered to specific walls or forms), configure authentication and custom headers, send a test delivery, and revoke or deactivate it — so external systems can set up integrations without a human in the CMS.

For the catalog of events and their delivery payloads, see Outgoing Webhooks.

Required scope: read:webhooks, write:webhooks.

Endpoints

GET

/api/open/v1/webhooks

List your webhook endpoints

GET

/api/open/v1/webhooks/{id}

Get a single endpoint

GET

/api/open/v1/webhooks/{id}/secret

Reveal the full signing secret

POST

/api/open/v1/webhooks

Create an endpoint

PUT

/api/open/v1/webhooks/{id}

Update an endpoint

POST

/api/open/v1/webhooks/{id}/revoke

Revoke an endpoint (permanent)

POST

/api/open/v1/webhooks/{id}/toggle

Activate or deactivate an endpoint

POST

/api/open/v1/webhooks/{id}/ping

Send a test delivery

Create

curl -X POST https://customer.monotree.com/api/open/v1/webhooks \
  -H "Authorization: Bearer mono_your_token_here" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My integration",
    "url": "https://example.com/monotree/webhook",
    "events": ["monotree.post.created", "monotree.user.registered"],
    "filters": { "monotree.post.created": [1, 3] },
    "auth_type": "bearer_token",
    "auth_value": "your-receiving-endpoint-token",
    "custom_headers": { "X-Tenant": "acme" }
  }'

Request body

Field	Type	Notes
`name`	string	Required. A label for the endpoint.
`url`	string	Required. The HTTPS URL deliveries are sent to.
`events`	array of strings	Required. One or more event names. An unrecognised event returns `422`.
`filters`	object	Optional. Restricts entity-scoped events to specific entity IDs — see Filtering events.
`auth_type`	string	Optional. One of `bearer_token`, `basic_auth`, `api_key`. See Authenticating deliveries.
`auth_value`	string	Optional. The token, credentials, or API key value for the chosen `auth_type`.
`auth_header`	string	Optional. The header name for `api_key` auth (e.g. `X-Api-Key`).
`custom_headers`	object	Optional. Extra headers sent with every delivery, as a `{ "Header-Name": "value" }` map.

A new endpoint is active immediately and is issued a signing secret. The response masks the secret — fetch the full value once with GET /webhooks/{id}/secret.

Filtering events

Some events are tied to an entity and can be narrowed to specific instances by passing their IDs under filters, keyed by event name. An event with no filter (or a non-filterable event) fires for all matching activity.

Event	Filter by
`monotree.post.created`	Wall IDs
`monotree.comment.created`, `monotree.comment.updated`, `monotree.comment.deleted`	Wall IDs
`monotree.formresponse.created`, `monotree.formresponse.updated`	Form IDs

All other events (e.g. monotree.user.registered, monotree.onboarding.completed, monotree.formresponse.alarm_triggered) are not entity-scoped; any filters supplied for them are ignored.

Authenticating deliveries

Beyond the HMAC signature (see Outgoing Webhooks), you can have Monotree add an auth header to every delivery:

`auth_type`	Header sent	`auth_value`	`auth_header`
`bearer_token`	`Authorization: Bearer <auth_value>`	the token	—
`basic_auth`	`Authorization: Basic <base64(auth_value)>`	`user:password`	—
`api_key`	`<auth_header>: <auth_value>`	the key	the header name

Update

PUT accepts the same fields as create; only what you send is changed. Sending events (with optional filters) replaces the endpoint's existing event rules.

curl -X PUT https://customer.monotree.com/api/open/v1/webhooks/42 \
  -H "Authorization: Bearer mono_your_token_here" \
  -H "Content-Type: application/json" \
  -d '{ "events": ["monotree.announcement.published"] }'

Response

{
  "data": {
    "id": 42,
    "name": "My integration",
    "url": "https://example.com/monotree/webhook",
    "is_active": true,
    "events": ["monotree.post.created", "monotree.user.registered"],
    "filters": { "monotree.post.created": [1, 3] },
    "auth_type": "bearer_token",
    "custom_headers": { "X-Tenant": "••••" },
    "secret": "a1b2c3d4...",
    "total_deliveries": 0,
    "last_used_at": null,
    "revoked_at": null,
    "created_at": "2026-06-09T10:00:00+00:00",
    "updated_at": "2026-06-09T10:00:00+00:00"
  }
}

Field	Type	Notes
`events`	array	Distinct event names the endpoint subscribes to.
`filters`	object	Entity IDs per event, for entity-scoped events only.
`custom_headers`	object or `null`	Header names only — values are masked as `••••`.
`secret`	string	A hint (first 8 characters). Fetch the full secret with `GET /webhooks/{id}/secret`.
`is_active`	boolean	Whether deliveries are currently sent.
`revoked_at`	datetime or `null`	When the endpoint was revoked, if ever.

Revealing the secret

Returns the full HMAC signing secret so you can verify delivery signatures.

curl https://customer.monotree.com/api/open/v1/webhooks/42/secret \
  -H "Authorization: Bearer mono_your_token_here"

{ "data": { "secret": "a1b2c3d4e5f6..." } }

Activate / deactivate

POST /webhooks/{id}/toggle flips is_active. A deactivated endpoint stops receiving deliveries but keeps its configuration and history, so you can switch it back on later.

Revoke

POST /webhooks/{id}/revoke permanently deactivates the endpoint and records revoked_at. The record and its delivery logs are kept for audit; there is no hard delete — this mirrors the CMS.

Test delivery

POST /webhooks/{id}/ping sends a signed monotree.test payload to the endpoint URL using its current secret, auth, and custom headers. The response reports whether the delivery succeeded:

{ "ok": true, "status": "delivered" }