Strimz
API Reference

Webhooks

Register endpoints; inspect deliveries; rotate secrets; replay.

Endpoints

POST /v1/webhook-endpoints
{
  "url": "https://your-site.com/webhooks/strimz",
  "events": ["payment.completed", "subscription.charged"],
  "mode": "live",
  "description": "Production receiver"
}

Returns:

{
  "endpoint": {
    "id": "ep_xyz",
    "url": "https://your-site.com/webhooks/strimz",
    "events": ["payment.completed", "subscription.charged"],
    "mode": "live",
    "status": "active",
    "signingSecretPrefix": "whsec_abcd",
    ...
  },
  "signingSecret": "whsec_xxxxxxxxxxxxxxxxxxxx"
}

signingSecret is shown only once. Save it into your secrets manager before you close the response.

GET  /v1/webhook-endpoints/{id}
GET  /v1/webhook-endpoints
POST /v1/webhook-endpoints/{id}/disable
POST /v1/webhook-endpoints/{id}/enable
POST /v1/webhook-endpoints/{id}/rotate-secret

Deliveries

GET /v1/webhook-deliveries/{id}
GET /v1/webhook-deliveries?endpointId=ep_xyz&status=permanently_failed
POST /v1/webhook-deliveries/{id}/replay

Replay puts the delivery back on the queue. Handy for debugging a receiver: fix the bug, replay the last few failures, watch them land.

SSRF guard

Endpoint URLs must:

  • Use https://
  • Not resolve to private (RFC 1918), loopback, link-local, or CGNAT addresses
  • Be DNS-resolvable at registration time

The check runs again on every delivery, so an endpoint that starts resolving to internal infra later (DNS rebinding) gets blocked at send time.

Auto-disable

5+ permanent failures in a 24-hour window → endpoint flips to disabled automatically. Re-enable from the dashboard once your server is back online.

See the Webhooks guide for signature verification.

On this page