Webhooks Management API

Pro — Manage webhook endpoints programmatically. All webhook URLs must use HTTPS and pass SSRF validation. Payloads are signed with HMAC-SHA256.

Tier	Webhook limit	Events
Pro	1	score_change
Growth	5	score_change, scan_complete, threshold_alert, batch_complete

GET /api/v1/webhooks

Request

curl https://zeodyn.com/api/v1/webhooks \
  -H "Authorization: Bearer zd_live_xxxxx"

Response (200 OK)

{
  "webhooks": [
    {
      "id": "w1a2b3c4-...",
      "url": "https://hooks.example.com/zeodyn",
      "label": "Slack notifier",
      "events": ["score_change"],
      "isActive": true,
      "lastTriggeredAt": "2026-02-22T10:30:00.000Z",
      "lastStatusCode": 200,
      "failureCount": 0,
      "createdAt": "2026-02-20T12:00:00.000Z"
    }
  ],
  "limit": 1,
  "used": 1,
  "allowedEvents": ["score_change"]
}

POST /api/v1/webhooks

Request

curl -X POST https://zeodyn.com/api/v1/webhooks \
  -H "Authorization: Bearer zd_live_xxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://hooks.example.com/zeodyn",
    "label": "Slack notifier",
    "events": ["score_change"]
  }'

Field	Type	Required	Description
url	string	Yes	HTTPS endpoint URL
events	string[]	Yes	Event types to subscribe to
label	string	No	Friendly name (max 100 chars)

Response (201 Created)

{
  "webhook": {
    "id": "w1a2b3c4-...",
    "url": "https://hooks.example.com/zeodyn",
    "label": "Slack notifier",
    "events": ["score_change"],
    "isActive": true,
    "createdAt": "2026-02-22T10:30:00.000Z"
  },
  "secret": "a1b2c3d4e5f6..."
}

The webhook secret is only returned once at creation time. Store it securely to verify HMAC-SHA256 signatures on incoming payloads.

DELETE /api/v1/webhooks/{id}

Request

curl -X DELETE https://zeodyn.com/api/v1/webhooks/w1a2b3c4-... \
  -H "Authorization: Bearer zd_live_xxxxx"

Response (200 OK)

{ "deleted": true }

POST /api/v1/webhooks/{id}/test

Send a test delivery to verify your webhook endpoint is working correctly. Rate limited to 5 test deliveries per hour.

Request

curl -X POST https://zeodyn.com/api/v1/webhooks/w1a2b3c4-.../test \
  -H "Authorization: Bearer zd_live_xxxxx"

Response (200 OK)

{
  "success": true,
  "statusCode": 200,
  "message": "Test delivery successful."
}

Verifying signatures

Every webhook delivery includes an X-Zeodyn-Signature header containing the HMAC-SHA256 signature of the request body.

Node.js verification example

const crypto = require('crypto');

function verifySignature(body, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

For full details on event types and payload formats, see the Webhooks guide.

Webhooks Management API

Pro — Manage webhook endpoints programmatically. All webhook URLs must use HTTPS and pass SSRF validation. Payloads are signed with HMAC-SHA256.

Tier	Webhook limit	Events
Pro	1	score_change
Growth	5	score_change, scan_complete, threshold_alert, batch_complete

GET /api/v1/webhooks

Request

curl https://zeodyn.com/api/v1/webhooks \
  -H "Authorization: Bearer zd_live_xxxxx"

Response (200 OK)

{
  "webhooks": [
    {
      "id": "w1a2b3c4-...",
      "url": "https://hooks.example.com/zeodyn",
      "label": "Slack notifier",
      "events": ["score_change"],
      "isActive": true,
      "lastTriggeredAt": "2026-02-22T10:30:00.000Z",
      "lastStatusCode": 200,
      "failureCount": 0,
      "createdAt": "2026-02-20T12:00:00.000Z"
    }
  ],
  "limit": 1,
  "used": 1,
  "allowedEvents": ["score_change"]
}

POST /api/v1/webhooks

Request

curl -X POST https://zeodyn.com/api/v1/webhooks \
  -H "Authorization: Bearer zd_live_xxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://hooks.example.com/zeodyn",
    "label": "Slack notifier",
    "events": ["score_change"]
  }'

Field	Type	Required	Description
url	string	Yes	HTTPS endpoint URL
events	string[]	Yes	Event types to subscribe to
label	string	No	Friendly name (max 100 chars)

Response (201 Created)

{
  "webhook": {
    "id": "w1a2b3c4-...",
    "url": "https://hooks.example.com/zeodyn",
    "label": "Slack notifier",
    "events": ["score_change"],
    "isActive": true,
    "createdAt": "2026-02-22T10:30:00.000Z"
  },
  "secret": "a1b2c3d4e5f6..."
}

The webhook secret is only returned once at creation time. Store it securely to verify HMAC-SHA256 signatures on incoming payloads.

DELETE /api/v1/webhooks/{id}

Request

curl -X DELETE https://zeodyn.com/api/v1/webhooks/w1a2b3c4-... \
  -H "Authorization: Bearer zd_live_xxxxx"

Response (200 OK)

{ "deleted": true }

POST /api/v1/webhooks/{id}/test

Send a test delivery to verify your webhook endpoint is working correctly. Rate limited to 5 test deliveries per hour.

Request

curl -X POST https://zeodyn.com/api/v1/webhooks/w1a2b3c4-.../test \
  -H "Authorization: Bearer zd_live_xxxxx"

Response (200 OK)

{
  "success": true,
  "statusCode": 200,
  "message": "Test delivery successful."
}

Verifying signatures

Every webhook delivery includes an X-Zeodyn-Signature header containing the HMAC-SHA256 signature of the request body.

Node.js verification example

const crypto = require('crypto');

function verifySignature(body, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

For full details on event types and payload formats, see the Webhooks guide.