Create Webhook Endpoint
Register a new webhook endpoint to receive run.completed and other event deliveries.
Authorizations
Send the credential as Authorization: Bearer <key>.
Scoped partner credentials use the exclusive nxsk_v1_... namespace.
Each scoped key is bound at issuance to one organization, one canonical
named environment, an explicit engine set, and a least-privilege
capability set. A malformed, unknown, rotated, or revoked nxsk_ key
fails closed and is never retried as a legacy key.
Capabilities used by this API are runs:write, runs:read,
engines:read, catalog:read, webhooks:manage,
runs:defensibility:read, runs:test, and converse:use. Operation
descriptions name the required capability.
Grandfathered nx_live_... and nx_test_... keys retain their existing
broad access during the compatibility window.
Body
HTTPS endpoint URL to receive webhook deliveries.
Event types to subscribe to.
1run.completed, run.failed, run.superseded Optional human-readable description.
256Whether the endpoint starts active. Defaults to true.
Optional bearer token included as Authorization: Bearer <token>
on outbound deliveries.
1024Delivery body shape. Defaults to full. thin delivers only run
identifiers and terminal status (body stays under 1 KB); fetch the
full run with GET /api/v1/runs/{run_id}.
full, thin Response
Endpoint created. Secret is included only in this response.
Endpoint identifier.
Delivery target URL.
Environment this endpoint receives events from.
test, live Subscribed event types.
run.completed, run.failed, run.superseded Whether the endpoint is active.
Whether an auth token is set (the token value is never returned).
Payload version string (e.g. 2026-03-22).
RFC 3339 creation timestamp.
HMAC-SHA256 signing secret (whsec_...). Displayed only once.
Store it securely.
Human-readable description.
Delivery body shape. full (default) carries the complete run; thin carries only run identifiers and terminal status.
full, thin Exact instant when the previous secret stops being valid.
Present only while the system has deactivated the endpoint after a consecutive dead-letter streak. Cleared on re-enable.
Actor that deactivated the endpoint (system for the automatic dead-letter streak deactivation). Present only while deactivated.
Why the endpoint was deactivated, including the triggering delivery ID. Present only while deactivated.
RFC 3339 last-update timestamp.