Set up an endpoint
Create a webhook endpoint in the dashboard or via the API, send a test event, and go live.
Setting up a webhook
Follow these steps to go from zero to a verified, production-ready endpoint.
1. Prepare your receiver URL
Your server needs a public HTTPS URL that accepts POST requests with a JSON body. Callback URLs must use HTTPS.
Your handler should:
- Read the raw request body as a string or buffer (do not parse JSON before verifying the signature).
- Read the
Styrar-Signature,Styrar-Event-Id, andStyrar-Event-Typeheaders. - Verify the signature (see the Verifying signatures section below).
- Return 2xx quickly after the event is accepted. Queue heavy work asynchronously.
Example path: https://your-app.com/webhooks/styrar
Styrar cannot deliver to private or loopback addresses such as localhost.
2. Get API access (for programmatic setup)
API keys require a Team or Agency workspace. Create keys under Settings → API keys on an eligible plan.
If you create endpoints via the API instead of the dashboard, you need a Bearer token with:
| Scope | Access |
|---|---|
webhooks:read | List endpoints, deliveries, and event types |
webhooks:write | Create, update, delete, test, rotate secret, retry deliveries |
Create an API key in Settings → API keys with webhooks:read and webhooks:write, or use an OAuth access token from a connected app with the same scopes.
For company workspaces, pass companyId on list and create requests.
3. Create an endpoint in the dashboard
- Sign in and open Settings → Webhooks (
/settings/webhooks). - Under Endpoints, enter your Endpoint URL (the public HTTPS callback).
- Optionally add a Description (for example "Production CRM sync").
- Select the Events you want (at least one is required). Common choices:
link.clickedfor click trackinglink.created/link.updated/link.deletedfor link lifecyclepost.publishedandcampaign.createdfor funnel events
- Click Add endpoint.
After creation, Styrar shows your signing secret (whsec_live_… or whsec_test_…). Copy it immediately and store it in your secrets manager. It is shown only once. If you lose it, use Rotate secret on the endpoint and update your server.
4. Create an endpoint via the API
Authorization: Bearer sty_live_your_api_key
Content-Type: application/json
{
"companyId": "cmxyz_company",
"url": "https://your-app.com/webhooks/styrar",
"description": "Production CRM sync",
"eventTypes": [
"link.clicked",
"link.created"
]
}{
"id": "wh_ep_abc123",
"url": "https://your-app.com/webhooks/styrar",
"description": "Production CRM sync",
"enabled": true,
"eventTypes": [
"link.clicked",
"link.created"
],
"secretPrefix": "whsec_l",
"companyId": "cmxyz_company",
"userId": null,
"disabledAt": null,
"createdAt": "2026-06-22T12:00:00.000Z",
"updatedAt": "2026-06-22T12:00:00.000Z",
"secret": "whsec_live_abc123onlyShownOnce"
}Store secret immediately. It is not returned on later GET requests. An empty eventTypes array subscribes to all event types; the dashboard requires at least one explicit event.
5. Send a test event
Confirm your server is reachable before relying on live traffic.
Dashboard: On the endpoint row, click Send test. Styrar delivers a webhook.test event. You should see a success toast with the HTTP status code.
API:
Authorization: Bearer sty_live_your_api_key{
"ok": true,
"statusCode": 200
}When the test succeeds, your server should have received a webhook.test event (see Receive an event on your server below).
Check Recent deliveries in the dashboard (or GET /v1/webhooks/deliveries) if the test fails. Common issues:
| Problem | What to check |
|---|---|
| Connection refused / timeout | URL is public HTTPS, firewall allows Styrar, tunnel is running |
| HTTP 4xx/5xx from your app | Handler returns 2xx after verify; log raw body and headers |
| Signature verification fails | Use raw body, correct secret, constant-time compare |
| Endpoint disabled | Re-enable in dashboard or fix the issue that caused HTTP 410 |
6. Verify and process deliveries
On every POST to your URL:
- Parse
Styrar-Signatureinto timestamptand digestv1. - Reject if
tis older than your tolerance (5 minutes recommended). - Compute HMAC-SHA256 of
"{t}.{raw_body}"with your endpoint secret. - Compare with
v1using a constant-time check. - Parse JSON only after verification succeeds.
- Deduplicate on
Styrar-Event-Id(at-least-once delivery).
See the Verifying signatures section below for a Node.js example.
7. Go live
- Keep the endpoint Enabled in the dashboard.
- Subscribe only to events you need (reduces noise and cost).
- Monitor Recent deliveries for failures and use Retry when needed.
- Rotate the secret if it may have leaked (Rotate secret in dashboard or
POST …/rotate-secret).
Quick start
- Get API access with
webhooks:readandwebhooks:writescopes (API key or OAuth). - Expose a public HTTPS receiver and create an endpoint in Settings → Webhooks or via
POST /v1/webhooks/endpoints. - Copy the signing secret when shown and store it securely.
- Send a test event and confirm your server verifies
Styrar-Signatureand returns 2xx. - Process live events with deduplication on
Styrar-Event-Id.
Authentication
Webhook management requires a Bearer token with the scopes listed in step 2 above. API keys with matching scopes work the same way as OAuth access tokens.