events.get (GET /v1/events/{id}); browse an endpoint’s events with events.list, which returns a lighter summary.
The full event
events.get returns every field below. It’s the detail view: ordered, unscrubbed request headers and the structured verification diagnostic, but not the raw body — that’s fetched separately (see the raw body).
The event’s UUID.
The endpoint that captured it.
The identified provider slug (e.g.
stripe, github), or null when the request couldn’t be
attributed to a known provider.When capture completed, as an RFC 3339 timestamp. This is the ordering key for an endpoint’s
events.
The captured request’s HTTP method.
null on older rows recorded before the method was stored —
treat null as “unrecorded”, not as an inferred POST.The request’s declared
Content-Type, or null if it sent none.The exact size of the raw body in bytes.
The request headers as ordered
[name, value] string pairs — unscrubbed and preserving order and
duplicates, so you see exactly what arrived. The list summary omits this.Whether an adapter matched a signature.
verificationState is the field to read for the full
picture — verified alone can’t distinguish “no signature was checked” from “a signature was
checked and rejected”.The truthful outcome of verification, one of
verified (a payload signature checked out),
authenticated (a shared token or HTTP Basic — weaker, reported distinctly), failed (a
signature was checked and rejected), or unattempted (no signature was checked). See inbound
verification.The structured verification diagnostic (which adapter ran, why it matched or didn’t), or
null
when nothing was attempted.The provider’s own event identifier, when one was present in the request.
null otherwise.The key webhook.co derived for deduplication.
How
dedupKey was derived, recorded so inspection can explain why two events did or didn’t
collapse. First match wins, in order: sw_webhook_id, provider_event_id, content_hash,
fields, or unique.The list summary
events.list returns a summary per event — enough to browse and filter without the cost of headers and the verification diagnostic. It carries id, endpointId, receivedAt, provider, dedupKey, dedupStrategy, verified, and verificationState. Fetch the full event with events.get when you need the rest. See inspect and search events.
The raw body
The body is never inlined into the event JSON. Fetch it withevents.getPayload (GET /v1/events/{id}/payload), which returns the exact captured bytes in a base64 envelope:
bytes, returning the raw bytes plus contentType. Keeping the body out-of-band means an event listing stays cheap and binary payloads survive byte-for-byte — which matters for signature fidelity.
Headers webhook.co adds on delivery
When webhook.co forwards a captured event to a destination, it signs the outbound request per the Standard Webhooks spec and adds three headers your receiver verifies:| Header | What it carries |
|---|---|
webhook-id | A unique message id, stable across retries of the same delivery — your receiver’s idempotency key. |
webhook-timestamp | Unix seconds; verify it falls within your accepted replay window. |
webhook-signature | One or more v1,<sig> signatures, space-delimited so a rotating secret’s old and new keys both validate during the overlap. |
webhook.co only re-signs events it authenticated (
verified or authenticated). An unattempted
event is still forwarded but without a signature, so a forged request can never carry
webhook.co’s signature onward. A failed event is never forwarded at all. See delivery, retry,
and signing.