Configure a workspace webhook
Bergur DavidsenUpdated 2026-07-14
A workspace webhook sends selected Usable events to an external HTTPS receiver. Configure it only after the receiver is ready to validate requests, acknowledge quickly, and handle duplicates safely.
Before configuring
Prepare the exact workspace, an approved public HTTPS receiver URL, required fragment events, receiver authentication, a test receiver, an owner, and a monitoring/removal plan.
Do not use localhost, private network destinations, insecure HTTP, credentials in query strings, or shared receiver URLs whose audience is unclear.
Configure from the dashboard
- Open the target workspace.
- Go to Settings → Webhooks.
- Choose New webhook.
- Enter a descriptive name.
- Add the exact HTTPS target URL.
- Select only required events.
- Add supported authentication headers where exposed.
- Save the webhook in the intended enabled state.
- Trigger a test with a representative fragment.
- Confirm the receiver and Usable delivery result.
Released public testing covers fragment.created, fragment.updated, and fragment.deleted. Do not assume additional event types are released because draft or internal contracts mention them.
REST management routes
The released public REST directory includes:
GET /api/workspaces/{id}/webhooks
POST /api/workspaces/{id}/webhooks
GET /api/workspaces/{id}/webhooks/{webhookId}
PATCH /api/workspaces/{id}/webhooks/{webhookId}
DELETE /api/workspaces/{id}/webhooks/{webhookId}
POST /api/workspaces/{id}/webhooks/triggerUse GET https://usable.dev/api/docs for exact request schemas and route authentication. Some webhook management routes are dashboard/session-oriented; do not assume PAT support.
Select events narrowly
For each selected event, define:
- the business action;
- required payload fields;
- deduplication identity;
- whether order matters;
- deletion handling;
- retry behavior;
- data retention.
Broad subscriptions increase data disclosure, noise, and retry load.
Configure receiver authentication
Use the strongest released verification option available. If custom auth headers are supported:
- use a dedicated random credential;
- store it in a secret manager;
- never include it in documentation or logs;
- validate it at the receiver;
- rotate it after exposure or on schedule;
- test the replacement before retiring the old value.
Roll out safely
- Start with a staging receiver.
- Test every selected event.
- Confirm manual tests cannot trigger production side effects.
- Verify authentication failures are rejected.
- Confirm duplicate and out-of-order handling.
- Measure acknowledgment latency.
- Move to production after review.
- Monitor the first real deliveries.
Update or disable
Before changing URL, events, or authentication, review dependent workflows and coordinate credential rotation. Avoid overlapping configurations that create duplicate side effects. Disable stale webhooks promptly and delete only after confirming no workflow relies on them.
Common failures
Target URL is rejected
Use an externally reachable HTTPS URL. Released safety guidance blocks insecure, localhost, private-range, and redirect-based SSRF destinations.
Webhook saves but receives nothing
Check enabled state, selected events, workspace, target reachability, and receiver authentication.
Receiver returns 401 or 403
The configured header and receiver secret may differ. Rotate deliberately; do not paste secrets into logs or support threads.
A read-only user cannot configure it
Webhook configuration is a workspace-management action. Ask an authorized workspace owner or administrator to review it.