Base URL
/v1 and are HTTPS-only. Fetch the spec yourself at https://api.webhook.co/openapi.json.
Authentication
Every request carries awhk_ bearer token in the Authorization header:
403 FORBIDDEN. See authentication for the scope table, whoami, and how the CLI signs in over OAuth.
Responses and errors
A successful call returns200 with a JSON body. A failure carries a machine-readable code, the HTTP status, and a requestId (echoed in the x-request-id header — include it in support reports):
code per status. See errors and status codes for the full table and the typed error classes the SDKs raise.
Pagination
List endpoints use opaque keyset cursors, not offsets, so paging is stable while new events arrive underneath you. A page carries up tolimit items (max 200) and a nextCursor; a null cursor means the end. See pagination.
Rate limits
A throttled request returns429 with a Retry-After header, which the SDKs honor automatically with capped exponential backoff. See rate limits.
What you’ll work with
The event object
The shape of a captured event, and the Standard Webhooks headers webhook.co adds on delivery.
Delivery guarantees
Durable-before-ACK capture, at-least-once delivery, ordering, and verified-gated signing.
SDKs
Typed clients for TypeScript, Python, and Go — with retries, pagination, and idempotency built in.
Authentication
The
whk_ bearer key, scopes, and signing in from the CLI.