Skip to content

Webhooks

Events you can subscribe to

EventFired when
job.queuedA new async job has been accepted.
job.runningAn async job has started processing.
job.succeededAn async job finished successfully. Results are ready to fetch.
job.failedAn async job ended in failure. The payload includes error.
stay.cachedA /v1/stays/{id} row has been refreshed in the cache.

POST /v1/webhooks

Register a new webhook. The signing_secret is shown only in this response — store it now.

Terminal window
curl -X POST https://api.stayingapi.com/v1/webhooks \
-H "Authorization: Bearer sk_live_..." \
-H "content-type: application/json" \
-d '{
"url": "https://example.com/hooks/staying",
"events": ["job.succeeded", "job.failed"]
}'
{
"data": {
"id": "8513b8a8-...",
"url": "https://example.com/hooks/staying",
"events": ["job.succeeded", "job.failed"],
"description": null,
"active": true,
"created_at": "2026-05-26T14:33:37Z",
"signing_secret": "whsec_23Cs...",
"note": "Store this signing secret now. It cannot be retrieved later."
},
"request_id": "req_..."
}

GET /v1/webhooks

List your webhooks. Signing secrets are never returned again.

Terminal window
curl https://api.stayingapi.com/v1/webhooks \
-H "Authorization: Bearer sk_live_..."

GET /v1/webhooks/{id}

Fetch one webhook by id.

Terminal window
curl https://api.stayingapi.com/v1/webhooks/8513b8a8-... \
-H "Authorization: Bearer sk_live_..."

DELETE /v1/webhooks/{id}

Revoke a webhook. This is a soft-delete — deliveries stop immediately and the row remains for audit until purged.

Terminal window
curl -X DELETE https://api.stayingapi.com/v1/webhooks/8513b8a8-... \
-H "Authorization: Bearer sk_live_..."
{ "data": { "id": "8513b8a8-...", "revoked": true }, "request_id": "req_..." }

To change a webhook’s URL, events, or signing secret, delete it and create a new one — there is no PUT endpoint.

GET /v1/webhooks/{id}/deliveries

Audit log of every delivery attempt against this webhook. Returns the most recent 200 attempts.

Terminal window
curl https://api.stayingapi.com/v1/webhooks/8513b8a8-.../deliveries \
-H "Authorization: Bearer sk_live_..."

Each row carries event, attempt, status_code, response_preview (first 500 bytes of the customer endpoint response), delivered, and attempted_at.

Signature header

x-stayingapi-signature: t=1716040800,v1=8b8c2bdac9...

Where t is the unix timestamp and v1 is HMAC-SHA256(t + "." + rawBody, signing_secret). Reject deliveries older than 5 minutes to prevent replay attacks.

See recipes/verify-webhook for code.

Retries

We retry on non-2xx responses up to 2 times (initial + 2), with 1s and 6s backoff. After 3 failures the delivery is recorded for audit via the /deliveries endpoint above.

Next