Webhooks push events to your server the moment they happen — no polling. You register an HTTPS endpoint, choose which events to receive, and Crevio sends a signed JSON POST whenever one fires.
Use them to sync data, trigger your own automations, fulfill purchases, and feed analytics — anything where your code needs to react to something happening in Crevio.
Creating an endpoint
Create endpoints from the dashboard, via the API , or with the TypeScript SDK .
Via dashboard
Open Developer settings
In your dashboard, go to Settings → Developer .
Create a new endpoint
Click New webhook endpoint and enter the HTTPS URL that should receive events. (HTTP is allowed only in local development.)
Select events
Choose which event types to subscribe to, individually or all at once.
Save and copy the secret
Crevio generates a signing secret (prefixed whsec_) shown once. Copy it now — you’ll use it to verify incoming requests.
Via API
Like every Crevio endpoint, params go at the top level (no {"webhook_endpoint": {...}} wrapper). Subscribe with enabled_events.
The response includes a secret — returned only on creation :
Copy your signing secret immediately. It’s shown once on creation and cannot be retrieved later — you’ll need it to verify signatures.
List the available event types programmatically:
Testing an endpoint
Send a synthetic event to any active endpoint to verify your handler:
You can also test from the dashboard: Settings → Developer → Send test , then pick an event type. Test deliveries include "test": true in the body and are not persisted to your delivery history.
Use webhook.site or ngrok during development to inspect payloads without standing up a server.
Available events
These are the event types you can subscribe to via enabled_events. Each has a dedicated page under Webhook Events in the API reference showing its exact payload.
Commerce
Event Fires when checkout.createdA checkout session is created order.createdAn order is created order.paidAn order is paid refund.createdA refund is issued refund.updatedA refund’s status changes invoice.createdAn invoice is created invoice.paidAn invoice is paid invoice.past_dueAn invoice passes its due date invoice.voidedAn invoice is voided
Leads & customers
Event Fires when lead.createdA new lead is captured form_submission.createdA form submission is received form_submission.confirmedA pending submission is confirmed (double opt-in) customer.confirmedA customer confirms their email (double opt-in)
Catalog
Event Fires when product.createdA product is created product.updatedA product is updated
AI Tasks & Jobs
Event Fires when task.createdAn AI task is created task_run.completedA task run finishes successfully task_run.failedA task run fails task_run.needs_inputA supervised task run is awaiting input job.completedA background job (e.g. media generation) completes job.failedA background job fails
Email
Event Fires when email_message.receivedAn inbound email is received email_message.sentAn email is sent email_message.deliveredAn email is delivered email_message.bouncedAn email bounces email_message.complainedA recipient marks an email as spam email_message.failedAn email fails to send
Every delivery is an HTTP POST with a JSON body in this shape:
Field Description idUnique id for this event (whev_…) — use it to deduplicate created_atISO 8601 timestamp the event was created typeThe event type (e.g. order.paid) api_versionAPI version used to render the payload dataThe serialized resource for the event (order, customer, invoice, …)
The shape of data varies by event type — it’s the serialized resource relevant to that event.
Delivery history
Each delivered event is persisted as a webhook event you can inspect. List your delivery history:
Fetch a single delivery with GET /webhook_events/{id}.
Retry behavior
Crevio expects a 2xx response within 5 seconds . If the request fails or times out:
The event is marked failed .
Failed events are retained for 7 days , then auto-deleted.
Crevio does not auto-retry failed deliveries. Re-trigger the underlying action, or use the test feature.
Endpoint statuses
Status Meaning activeReceiving events normally inactiveDisabled — receives no events
Deactivate an endpoint without deleting it; reactivating resumes delivery for new events.
Security
Verifying signatures
Every request includes an X-Crevio-Hmac-SHA256 header: a Base64-encoded HMAC-SHA256 of the raw request body, keyed with your signing secret. Verify it before trusting a payload.
Read the raw body
Read the request body as a raw string — do not re-serialize parsed JSON.
Compute the digest
HMAC-SHA256 over the raw body, keyed with your whsec_ secret.
Base64-encode
Base64-encode the digest.
Compare
Constant-time compare against the header value.
Always verify the signature before processing a payload. Without it, anyone could forge events to your endpoint.
Best practices
Respond fast — return 200 immediately, then process asynchronously to avoid timeouts.
Deduplicate — use the event id (whev_…); the same event may arrive more than once.
Use HTTPS — required in production.
Protect your secret — store it in env vars or a secrets manager; never commit it.
Beyond the default JSON, Crevio can format deliveries for chat platforms:
Format Use case Raw (default) Standard JSON for your own server Slack Pre-formatted for Slack incoming webhooks Discord Pre-formatted for Discord webhook URLs
Select the format when creating or editing the endpoint.
How webhooks differ from event-triggered Tasks
Both react to platform events, but they do different jobs:
Webhook Event-triggered Task Who acts Your server / your code Crevio’s AI agent You provide An HTTPS endpoint A natural-language prompt Best for Syncing, custom fulfillment, analytics Autonomous follow-ups, drafting, decisions Setup POST /webhook_endpointsPOST /tasks with trigger_type: "event"
The subscribable internal events (and any third-party triggers) are documented under Events .
Next steps
Events Internal and third-party triggers for event Tasks.
Tasks Let Crevio’s AI react to events on your behalf.
Autonomous outreach A worked event-triggered Task on order.paid.
API overview The full set of primitives.