Skip to main content
An event is a single captured request to an ingest URL — the verb, headers, body, and the verification webhook.co performed on it. Read one in full with events.get (GET /v1/events/{id}); browse an endpoint’s events with events.list, which returns a lighter summary.

The full event

events.get returns every field below. It’s the detail view: ordered, unscrubbed request headers and the structured verification diagnostic, but not the raw body — that’s fetched separately (see the raw body).
id
string
The event’s UUID.
endpointId
string
The endpoint that captured it.
provider
string | null
The identified provider slug (e.g. stripe, github), or null when the request couldn’t be attributed to a known provider.
receivedAt
string
When capture completed, as an RFC 3339 timestamp. This is the ordering key for an endpoint’s events.
method
string | null
The captured request’s HTTP method. null on older rows recorded before the method was stored — treat null as “unrecorded”, not as an inferred POST.
contentType
string | null
The request’s declared Content-Type, or null if it sent none.
payloadBytes
integer
The exact size of the raw body in bytes.
headers
array
The request headers as ordered [name, value] string pairs — unscrubbed and preserving order and duplicates, so you see exactly what arrived. The list summary omits this.
verified
boolean
Whether an adapter matched a signature. verificationState is the field to read for the full picture — verified alone can’t distinguish “no signature was checked” from “a signature was checked and rejected”.
verificationState
string
The truthful outcome of verification, one of verified (a payload signature checked out), authenticated (a shared token or HTTP Basic — weaker, reported distinctly), failed (a signature was checked and rejected), or unattempted (no signature was checked). See inbound verification.
verification
object | null
The structured verification diagnostic (which adapter ran, why it matched or didn’t), or null when nothing was attempted.
providerEventId
string | null
The provider’s own event identifier, when one was present in the request. null otherwise.
dedupKey
string
The key webhook.co derived for deduplication.
dedupStrategy
string
How dedupKey was derived, recorded so inspection can explain why two events did or didn’t collapse. First match wins, in order: sw_webhook_id, provider_event_id, content_hash, fields, or unique.

The list summary

events.list returns a summary per event — enough to browse and filter without the cost of headers and the verification diagnostic. It carries id, endpointId, receivedAt, provider, dedupKey, dedupStrategy, verified, and verificationState. Fetch the full event with events.get when you need the rest. See inspect and search events.

The raw body

The body is never inlined into the event JSON. Fetch it with events.getPayload (GET /v1/events/{id}/payload), which returns the exact captured bytes in a base64 envelope:
{
  "contentType": "application/json",
  "bytes": 1024,
  "bodyBase64": "eyJoZWxsbyI6I...=="
}
The SDKs decode this for you and verify the decoded length against bytes, returning the raw bytes plus contentType. Keeping the body out-of-band means an event listing stays cheap and binary payloads survive byte-for-byte — which matters for signature fidelity.

Headers webhook.co adds on delivery

When webhook.co forwards a captured event to a destination, it signs the outbound request per the Standard Webhooks spec and adds three headers your receiver verifies:
HeaderWhat it carries
webhook-idA unique message id, stable across retries of the same delivery — your receiver’s idempotency key.
webhook-timestampUnix seconds; verify it falls within your accepted replay window.
webhook-signatureOne or more v1,<sig> signatures, space-delimited so a rotating secret’s old and new keys both validate during the overlap.
webhook.co only re-signs events it authenticated (verified or authenticated). An unattempted event is still forwarded but without a signature, so a forged request can never carry webhook.co’s signature onward. A failed event is never forwarded at all. See delivery, retry, and signing.