Webhooks API
Webhooks let you receive real-time HTTP notifications when events happen in your REV23 account. When an event occurs — such as a customer being created or a release form being generated — REV23 sends an HTTP POST request to the URL you configure with a JSON payload describing the event.
Not a developer? You don’t need to build anything yourself. Our Zapier integration lets you connect REV23 to thousands of apps with no code. See Webhooks Overview for more info.
This guide covers custom webhook subscriptions for developers building their own integrations.
Available Events
Section titled “Available Events”| Event | Description |
|---|---|
customer.created | A new customer was created |
customer.updated | A customer was updated |
user.created | A new user was created |
service.created | A new service was created |
service.completed | A service was marked complete |
service.user_assigned | A user was assigned to a service |
service_session.created | A new service session was created |
service_session.started | A service session was started |
service_session.ended | A service session ended |
release_form.generated | A release form PDF was generated |
lead.created | A new idea was created (the event name uses lead for historical reasons) |
Event Scoping
Section titled “Event Scoping”Events fall into two categories based on how subscriptions are matched:
Account-wide events like customer.created and user.created fire for all active subscriptions for that event.
User-scoped events are tied to an entity with an assigned user (services, ideas, release forms). A subscription receives a user-scoped event if the subscriber is:
- The assigned user on the entity (e.g., the artist assigned to the service)
- An owner of the account
- A user with the
subscribe.all:webhookpermission
If the entity has no assigned user (e.g., an unassigned idea), the event is treated as account-wide and all active subscriptions fire.
| Event | Scoping |
|---|---|
customer.created | Account-wide |
customer.updated | Account-wide |
user.created | Account-wide |
service.created | User-scoped |
service.completed | User-scoped |
service.user_assigned | User-scoped |
service_session.created | User-scoped |
service_session.started | User-scoped |
service_session.ended | User-scoped |
release_form.generated | User-scoped |
lead.created | User-scoped |
Creating a Subscription
Section titled “Creating a Subscription”Webhook subscriptions are created in REV23 Cloud. Navigate to your Webhook settings and create a new subscription by providing:
- Event — The event to subscribe to (e.g.,
customer.created). - URL — The HTTPS endpoint that will receive webhook POST requests.
- Active — Whether the subscription is active.
- Custom Headers — Optional headers to include in every webhook delivery (useful for authentication with your endpoint).
After creation, a secret is generated for signature verification. Store this value immediately — you will need it to verify webhook payloads and it cannot be retrieved again.
Managing Subscriptions
Section titled “Managing Subscriptions”You can manage your webhook subscriptions from the same settings page where you created them. You can edit, deactivate, or delete subscriptions at any time.
Delivery history is also available for each subscription, showing the success/failure status, HTTP response status code, and response body for each delivery attempt.
Payload Format
Section titled “Payload Format”Webhook payloads are sent as JSON via HTTP POST. The body contains the model for the entity related to the event, serialized with camelCase property names.
Example customer.created payload:
{ "id": "cus_abc123", "firstName": "Jane", "lastName": "Doe", "email": "jane@example.com", "createdOnUtc": "2026-01-15T10:30:00+00:00"}Signature Verification
Section titled “Signature Verification”Every webhook request includes an x-rev23-signature header containing an HMAC-SHA256 signature of the request body, computed using the secret returned when you created the subscription.
The header format is:
x-rev23-signature: sha256=<hex-digest>You should always verify this signature to confirm the request came from REV23.
const crypto = require('crypto');
function isSignatureValid(body, secret, signatureHeader) { const hmac = crypto.createHmac('sha256', secret); hmac.update(body, 'utf8'); const expected = `sha256=${hmac.digest('hex')}`; return crypto.timingSafeEqual( Buffer.from(signatureHeader), Buffer.from(expected) );}import hmacimport hashlib
def is_signature_valid(body: str, secret: str, signature_header: str) -> bool: expected = "sha256=" + hmac.new( secret.encode(), body.encode(), hashlib.sha256 ).hexdigest() return hmac.compare_digest(signature_header, expected)Delivery Behavior
Section titled “Delivery Behavior”- Webhooks are delivered asynchronously. There may be a short delay between when an event occurs and when your endpoint receives the request.
- Webhook deliveries have a 30-second timeout. If your endpoint does not respond within 30 seconds, the delivery is considered failed.
- Failed deliveries are retried up to 10 times with exponential backoff.
- If your endpoint returns HTTP 410 (Gone), the subscription is immediately deactivated.
- After 15 consecutive failures, the subscription is automatically deactivated.
- Custom headers configured on the subscription are included in every delivery attempt.
Zapier
Section titled “Zapier”If you don’t need a fully custom integration, consider using our Zapier integration instead. Zapier manages webhook subscriptions automatically — no code, no signature verification, no endpoint to host. It connects REV23 to thousands of apps out of the box.