> ## Documentation Index
> Fetch the complete documentation index at: https://docs.webhook.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Register a replay destination (returns a one-time signing secret)



## OpenAPI

````yaml https://api.webhook.co/openapi.json post /v1/replay-destinations
openapi: 3.1.0
info:
  title: webhook.co API
  version: 1.0.0
  description: >-
    The webhook.co REST API: create ingest endpoints, inspect captured events,
    manage delivery destinations and subscriptions, and replay events. All
    requests are authenticated with a bearer `whk_` API key. Responses are JSON;
    every successful response is HTTP 200. Errors use a JSON `{error, message}`
    envelope, except 401/403 which are empty-bodied with a WWW-Authenticate
    header.
  license:
    name: Apache-2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
  - url: https://api.webhook.co
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Endpoints
    description: Create, inspect, and manage ingest endpoints and their secrets.
  - name: Events
    description: Browse, fetch, tail, and replay captured events.
  - name: Deliveries
    description: Observe outbound delivery attempts.
  - name: Replay Destinations
    description: Manage the allowlist of remote delivery destinations.
  - name: Subscriptions
    description: Configure auto-delivery routing rules.
  - name: Audit
    description: Verify the tamper-evident audit chain.
  - name: Identity
    description: Inspect the authenticated principal.
paths:
  /v1/replay-destinations:
    post:
      tags:
        - Replay Destinations
      summary: Register a replay destination (returns a one-time signing secret)
      operationId: replayDestinationsCreate
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ReplayDestinationsCreateRequest'
      responses:
        '200':
          description: Success.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CreatedReplayDestination'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '429':
          $ref: '#/components/responses/TooManyRequests'
        '500':
          $ref: '#/components/responses/InternalError'
      security:
        - bearerAuth: []
components:
  schemas:
    ReplayDestinationsCreateRequest:
      type: object
      properties:
        url:
          type: string
          minLength: 1
          maxLength: 2048
        label:
          type: string
          minLength: 1
          maxLength: 200
      required:
        - url
      description: >-
        `url` must be a public HTTPS URL (no IP-literal host, credentials,
        disallowed port, or bare hostname); the server rejects a non-conforming
        URL with 400 VALIDATION_ERROR.
    CreatedReplayDestination:
      type: object
      properties:
        id:
          type: string
          format: uuid
          pattern: >-
            ^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$
        orgId:
          type: string
          format: uuid
          pattern: >-
            ^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-8][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}|00000000-0000-0000-0000-000000000000|ffffffff-ffff-ffff-ffff-ffffffffffff)$
        url:
          type: string
        label:
          anyOf:
            - type: string
            - type: 'null'
        status:
          type: string
          enum:
            - active
            - revoked
        createdAt:
          type: string
          format: date-time
        lastValidatedAt:
          anyOf:
            - type: string
              format: date-time
            - type: 'null'
        ordered:
          type: boolean
        disabledAt:
          anyOf:
            - type: string
              format: date-time
            - type: 'null'
        signingSecret:
          type: string
      required:
        - id
        - orgId
        - url
        - label
        - status
        - createdAt
        - lastValidatedAt
        - ordered
        - disabledAt
      additionalProperties: false
    Error:
      type: object
      description: The JSON error envelope for capability faults.
      properties:
        error:
          type: string
          description: A stable capability-error code.
        message:
          type: string
          description: A human-readable description.
      required:
        - error
        - message
  responses:
    BadRequest:
      description: The request failed validation.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: >-
        Missing or invalid bearer credential. Empty body; the WWW-Authenticate
        header carries the challenge.
      headers:
        WWW-Authenticate:
          description: RFC 6750 Bearer challenge.
          schema:
            type: string
    Forbidden:
      description: >-
        The credential is valid but lacks the required scope. Empty body;
        WWW-Authenticate carries the challenge.
      headers:
        WWW-Authenticate:
          description: RFC 6750 Bearer challenge.
          schema:
            type: string
    TooManyRequests:
      description: A rate limit or soft cap was exceeded.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    InternalError:
      description: An unexpected server error. The body is a plain-text sentinel.
      content:
        text/plain:
          schema:
            type: string
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: opaque
      description: A `whk_`-prefixed API key (opaque; not a JWT).

````