Webhook integrations require the Scale plan. Attempting to register a webhook on a lower-tier plan returns
403.Payload envelope
Every webhook request shares the same top-level structure regardless of event type.The name of the event that fired. See Event reference for all possible values.
UUID of the organization that generated the event.
URL-safe slug for the organization (e.g.
acme-ops).ISO 8601 timestamp marking when the event was dispatched.
Event-specific payload. Shape varies by
event_type; see the event reference for full schemas.Verifying signatures
DocInject signs every request with HMAC-SHA256. The signature is included in theX-DocInject-Signature header as sha256=<hex-digest>.
Your webhook secret is returned once when you register a webhook (POST /webhooks). Store it securely. It is not retrievable afterwards.
To verify a request:
1
Read the raw request body
Compute the signature over the raw bytes before any JSON parsing.
2
Compute the expected signature
HMAC-SHA256 the raw body using your webhook secret.
3
Compare signatures
Use a constant-time comparison to check that your computed digest matches the
sha256= value in the header. Reject the request if they do not match.Delivery behavior
DocInject attempts delivery up to 3 times with exponential backoff (delays of 1 s and 2 s between retries). Your endpoint must return a2xx response within 10 seconds. Non-2xx responses and network errors are both treated as delivery failures.
