Skip to content
Stratum Docs

Webhooks API

Webhook Endpoints

MethodPathDescription
POST/api/v1/webhooksCreate webhook
GET/api/v1/webhooksList webhooks
GET/api/v1/webhooks/:idGet webhook
PATCH/api/v1/webhooks/:idUpdate webhook
DELETE/api/v1/webhooks/:idDelete webhook
POST/api/v1/webhooks/:id/testTest webhook delivery
GET/api/v1/webhooks/:id/deliveriesList deliveries for webhook

Delivery Endpoints (DLQ)

MethodPathDescription
GET/api/v1/webhooks/deliveries/statsGet delivery statistics
GET/api/v1/webhooks/deliveries/failedList failed deliveries
POST/api/v1/webhooks/deliveries/retry-allRetry all failed
POST/api/v1/webhooks/deliveries/:deliveryId/retryRetry single delivery

Other Endpoints

MethodPathDescription
GET/api/v1/audit-logsList audit logs (with filters)
GET/api/v1/audit-logs/:idGet single audit entry
POST/api/v1/tenants/:id/consentGrant consent
GET/api/v1/tenants/:id/consentList consent records
DELETE/api/v1/tenants/:id/consent/:purposeRevoke consent
POST/api/v1/maintenance/purge-expiredPurge expired data
POST/api/v1/maintenance/rotate-encryption-keyRotate encryption key

Create Webhook

POST /api/v1/webhooks

Body:

{
  "url": "https://your-app.com/webhooks/stratum",
  "tenant_id": "uuid (optional, null for global)",
  "events": ["tenant.created", "config.updated"],
  "secret": "your-signing-secret"
}
FieldTypeRequiredDescription
urlstringYesHTTPS endpoint for deliveries
tenant_idUUIDNoScope to a tenant (null for all events)
eventsstring[]YesEvent types to subscribe to
secretstringNoHMAC-SHA256 signing secret (encrypted at rest)

Supported events: tenant.created, tenant.updated, tenant.deleted, tenant.moved, config.updated, config.deleted, permission.created, permission.updated, permission.deleted

Response: 201 Created — returns the webhook object.

List Webhooks

GET /api/v1/webhooks?tenant_id=<uuid>

Scoped keys automatically filter to their own tenant’s webhooks.

Response: 200 OK — array of webhook objects.

Update Webhook

PATCH /api/v1/webhooks/:id

Body (all optional):

{
  "url": "https://new-endpoint.com/hook",
  "events": ["tenant.created", "tenant.updated"],
  "secret": "new-signing-secret"
}

Response: 200 OK — returns the updated webhook.

Test Webhook

POST /api/v1/webhooks/:id/test

Sends a synthetic test event to the webhook URL and reports the response.

Response: 200 OK

{
  "success": true,
  "response_code": 200
}

Delivery Statistics

GET /api/v1/webhooks/deliveries/stats

Response: 200 OK

{
  "total": 150,
  "pending": 5,
  "success": 130,
  "failed": 15
}

List Failed Deliveries

GET /api/v1/webhooks/deliveries/failed?limit=100

Returns failed deliveries (dead-letter queue) with joined webhook and event data.

ParamTypeDefaultDescription
limitinteger100Max results (1—500)

Response: 200 OK — array of failed delivery objects.

Retry All Failed

POST /api/v1/webhooks/deliveries/retry-all

Resets all failed deliveries for retry (clears attempt counter, sets status to pending).

Response: 200 OK

{
  "retried": 15
}

Retry Single Delivery

POST /api/v1/webhooks/deliveries/:deliveryId/retry

Response: 200 OK{"success": true}

Audit Logs

GET /api/v1/audit-logs

Query Parameters:

ParamTypeDescription
tenant_idUUIDFilter by tenant
actionstringFilter by action (e.g., tenant.created)
resource_typestringFilter by resource type
actor_idstringFilter by actor
fromISO 8601Start of date range
toISO 8601End of date range
limitnumberMax results, 1—100 (default: 50)
cursorUUIDCursor for keyset pagination

Response: 200 OK — array of audit entries.

Rotate Encryption Key

POST /api/v1/maintenance/rotate-encryption-key

Re-encrypts all sensitive config entries and webhook secrets from the old key to the new key in a single atomic transaction.

Body:

{
  "old_key": "current-encryption-key",
  "new_key": "new-encryption-key"
}

Response: 200 OK

{
  "config_entries_rotated": 12,
  "webhooks_rotated": 5
}

After rotation, update the STRATUM_ENCRYPTION_KEY environment variable and restart the control plane.