Guides
Set Up Webhooks
Configure webhook endpoints and monitor deliveries.
Requirements
- Company-scoped API key
- Public HTTPS endpoint for receiving events
- Plan with webhook support
Create A Webhook
curl -X POST "https://api.hyrelog.com/v1/workspaces/WORKSPACE_ID/webhooks" \
-H "Authorization: Bearer YOUR_COMPANY_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-app.example.com/hyrelog/webhook",
"events": ["AUDIT_EVENT_CREATED"],
"customSecret": "optional-your-own-signing-secret"
}'If customSecret is omitted, HyreLog generates a random signing secret.
Store the returned secret safely; it is shown once.
Supported Event Types
Currently supported:
AUDIT_EVENT_CREATED
events in webhook configuration refers to webhook event types (not your ingested event action value).
How Signing Works
- HyreLog and your receiver share a webhook secret.
- HyreLog does not send the raw secret in webhook requests.
- Instead, HyreLog signs the raw request body using HMAC-SHA256 and sends:
x-hyrelog-signature: v1=<signature>
- Your receiver computes the same HMAC with its stored secret and compares signatures.
- If signatures match, the request is authentic and body integrity is verified.
Delivery Request Format
HyreLog delivers webhooks as POST JSON with headers similar to:
content-type: application/jsonx-hyrelog-signature: v1=<hex_hmac_sha256>x-hyrelog-timestamp: <unix_seconds>x-hyrelog-delivery-id: <uuid>x-hyrelog-attempt: <attempt_number>x-trace-id: <trace_id_if_available>
Sample payload body:
{
"id": "ab7f0ed0-0a40-4843-ad0c-5fa1ee65e081",
"timestamp": "2026-05-07T13:29:25.000Z",
"companyId": "c7d7f2f2-20f9-4d2e-a188-8f8f6c2ef001",
"workspaceId": "077df3cc-9ea1-423a-be6b-c34b9cffd75b",
"projectId": "b2fd8619-32fc-4de7-aa76-a4cd0f5f0f3a",
"category": "AUTH",
"action": "USER_LOGIN",
"actor": {
"id": "u_123",
"email": "person@example.com",
"role": "ADMIN"
},
"resource": {
"type": "USER",
"id": "user_42"
},
"metadata": {
"ip": "203.0.113.10"
},
"traceId": "933ed271-e43f-42ac-bdec-1471dfc38707",
"hash": "current_chain_hash",
"prevHash": "previous_chain_hash"
}x-hyrelog-signature is HMAC-SHA256 over the raw JSON body using your webhook secret.
If your endpoint also requires a separate access token/header, configure your receiver to accept both checks:
- transport/auth header checks (if any), and
- HyreLog signature verification.
List Webhooks
curl "https://api.hyrelog.com/v1/workspaces/WORKSPACE_ID/webhooks" \
-H "Authorization: Bearer YOUR_COMPANY_API_KEY"Inspect Deliveries
curl "https://api.hyrelog.com/v1/webhooks/WEBHOOK_ID/deliveries?limit=50" \
-H "Authorization: Bearer YOUR_COMPANY_API_KEY"Use delivery status to troubleshoot failures and retries.