Webhooks
Events you can subscribe to
| Event | Fired when |
|---|---|
job.queued | A new async job has been accepted. |
job.running | An async job has started processing. |
job.succeeded | An async job finished successfully. Results are ready to fetch. |
job.failed | An async job ended in failure. The payload includes error. |
stay.cached | A /v1/stays/{id} row has been refreshed in the cache. |
POST /v1/webhooks
Register a new webhook. The signing_secret is shown only in this response —
store it now.
curl -X POST https://api.stayingapi.com/v1/webhooks \ -H "Authorization: Bearer sk_live_..." \ -H "content-type: application/json" \ -d '{ "url": "https://example.com/hooks/staying", "events": ["job.succeeded", "job.failed"] }'{ "data": { "id": "8513b8a8-...", "url": "https://example.com/hooks/staying", "events": ["job.succeeded", "job.failed"], "description": null, "active": true, "created_at": "2026-05-26T14:33:37Z", "signing_secret": "whsec_23Cs...", "note": "Store this signing secret now. It cannot be retrieved later." }, "request_id": "req_..."}GET /v1/webhooks
List your webhooks. Signing secrets are never returned again.
curl https://api.stayingapi.com/v1/webhooks \ -H "Authorization: Bearer sk_live_..."GET /v1/webhooks/{id}
Fetch one webhook by id.
curl https://api.stayingapi.com/v1/webhooks/8513b8a8-... \ -H "Authorization: Bearer sk_live_..."DELETE /v1/webhooks/{id}
Revoke a webhook. This is a soft-delete — deliveries stop immediately and the row remains for audit until purged.
curl -X DELETE https://api.stayingapi.com/v1/webhooks/8513b8a8-... \ -H "Authorization: Bearer sk_live_..."{ "data": { "id": "8513b8a8-...", "revoked": true }, "request_id": "req_..." }To change a webhook’s URL, events, or signing secret, delete it and create a
new one — there is no PUT endpoint.
GET /v1/webhooks/{id}/deliveries
Audit log of every delivery attempt against this webhook. Returns the most recent 200 attempts.
curl https://api.stayingapi.com/v1/webhooks/8513b8a8-.../deliveries \ -H "Authorization: Bearer sk_live_..."Each row carries event, attempt, status_code, response_preview (first
500 bytes of the customer endpoint response), delivered, and attempted_at.
Signature header
x-stayingapi-signature: t=1716040800,v1=8b8c2bdac9...Where t is the unix timestamp and v1 is HMAC-SHA256(t + "." + rawBody, signing_secret).
Reject deliveries older than 5 minutes to prevent replay attacks.
See recipes/verify-webhook for code.
Retries
We retry on non-2xx responses up to 2 times (initial + 2), with 1s and 6s
backoff. After 3 failures the delivery is recorded for audit via the
/deliveries endpoint above.