Create a webhook subscription
Register a URL to receive event notifications. Pick which
event types to subscribe to via event_types, or use "*"
to subscribe to every event. We deliver via HTTPS POST and
sign every body with HMAC-SHA256 — see the Webhooks tab
for the full signature scheme.
The response includes signing_secret exactly once. Save it
somewhere safe; we can’t show it again. (You can always
rotate it later if you lose track.)
Authorizations
Pass your secret key in the Authorization header as a Bearer
token: Authorization: Bearer sk_test_... (sandbox) or
Bearer sk_live_... (production).
Keys are created in the developer portal and the plaintext secret is shown exactly once at creation. Treat them like passwords — never embed them in mobile apps or front-end code.
Body
Response
Subscription created. The signing_secret field is the
only time the plaintext secret is returned —
store it somewhere safe.
"whk_01HXYZ8A6N7K2W9PQ4T5Z3V6E0"
[
"connection.requires_action",
"connection.active",
"connection.failed",
"connection.disconnected",
"connection.capability_changed",
"account.refresh.completed",
"account.refresh.failed"
]
active, paused, disabled Plaintext signing secret. Use HMAC-SHA256 with this secret
to verify the X-LS-Webhook-Signature header on incoming
deliveries. Returned ONCE; store it securely.
