Webhooks
Subscribe to org events over signed outbound HTTP. Each delivery is HMAC-signed and logged, with a test button and retry visibility.
Webhooks push org events to your endpoints as signed HTTP POSTs — for syncing state, triggering CI, or feeding your own observability.
Add a webhook
Section titled “Add a webhook”From Integrations → Webhooks, or:
curl -X POST https://cloud.backlex.com/api/org/<org>/webhooks \ -H "Authorization: Bearer pak_..." \ -H "Content-Type: application/json" \ -d '{"url":"https://acme.com/hooks/backlex","events":["project.provisioned","alarm.fired"]}'The signing secret is returned once on creation. Subscribe to specific events or * for all.
Payload & signature
Section titled “Payload & signature”Each delivery POSTs:
{ "event": "alarm.fired", "payload": { /* event-specific */ }, "timestamp": 1730000000000 }signed with HMAC-SHA256 (hex) over the raw body, in the X-Backlex-Signature header. Verify before trusting it:
const sig = req.headers["x-backlex-signature"];const expected = hmacSha256Hex(secret, rawBody);if (sig !== expected) return reject();Events
Section titled “Events”project.provisioned, project.failed, project.paused, project.resumed, alarm.fired, member.invited, billing.plan_change.
Deliveries & testing
Section titled “Deliveries & testing”Every attempt is recorded with its response status in Recent deliveries. Use the Test action (or POST /webhooks/{id}/test) to send a sample delivery and confirm your endpoint is reachable. Managing webhooks requires the admin role.