~/docs/webhooks
Webhooks
Receive real-time HTTP callbacks for workspace events.
Webhooks allow you to build or set up integrations that subscribe to certain events on OpenPieces. When one of those events is triggered, we'll send an HTTP POST payload to the webhook's configured URL.
Security & Signatures
To ensure that webhook events are legitimately originating from OpenPieces, every request includes an X-OP-Signature header. This signature is an HMAC SHA-256 hash generated using your webhook's secret and the JSON payload body.
javascript
import { createHmac } from "crypto";
const WEBHOOK_SECRET = process.env.OP_WEBHOOK_SECRET;
app.post("/webhook", (req, res) => {
const signature = req.headers["x-op-signature"];
const payload = JSON.stringify(req.body);
const hmac = createHmac("sha256", WEBHOOK_SECRET);
hmac.update(payload);
const expectedSignature = hmac.digest("hex");
if (signature !== expectedSignature) {
return res.status(401).send("Invalid signature");
}
// Process the event...
res.status(200).send("OK");
});Headers
Every webhook request will include the following custom headers:
X-OP-EventThe name of the event that triggered the webhook (e.g., tool.called).
X-OP-SignatureThe HMAC SHA-256 signature for verifying the payload.