Create a webhook endpoint
Registers an HTTPS endpoint to receive signed event deliveries.
Requires webhooks:manage. Apps may register at most 20 endpoints
(409 limit_exceeded beyond that).
The response includes the endpoint’s HMAC signing secret exactly
once — store it securely; it cannot be retrieved again (idempotent
replays of the create response deliberately omit it). To rotate a
secret, create a new endpoint, migrate, then delete the old one.
Authorizations
Partner API key sent as a Bearer token:
Authorization: Bearer gd_live_...Keys are issued by the GrowDental team (invite-only), shown once
at creation, and stored server-side only as a SHA-256 hash. Key format:
gd_live_ (or gd_test_) followed by a 43-character base62 secret
(~256 bits of entropy). To rotate, request a new key, deploy it, then
ask us to revoke the old one — both keys work during the overlap.
Headers
Client-generated unique key (e.g. a UUID) making the POST safely
retryable for 24 hours: retries with the same key and payload replay
the original response; the same key with a different payload is
rejected with 409 idempotency_conflict. Strongly recommended on
every POST — required in practice for call-request creation, where a
blind retry can dial patients twice.
255Body
HTTPS URL that will receive event deliveries. Must be publicly reachable.
500"https://api.example-pms.com/growdental/webhooks"
Event types to deliver to this endpoint.
1Event types deliverable to webhook endpoints. call_attempt.resolved
and appointment.booked are planned (Phase 2) — valid to subscribe to
now, but not yet emitted.
call.completed, call.recording.ready, call_request.completed, call_attempt.resolved, appointment.booked Response
Endpoint created. The secret is shown only in this response.
Returned only from endpoint creation — includes the one-time signing secret.
Event types deliverable to webhook endpoints. call_attempt.resolved
and appointment.booked are planned (Phase 2) — valid to subscribe to
now, but not yet emitted.
call.completed, call.recording.ready, call_request.completed, call_attempt.resolved, appointment.booked disabled endpoints receive no deliveries. Endpoints are
auto-disabled after sustained delivery failures; re-enable via
PATCH once your receiver is healthy.
active, disabled Consecutive failed deliveries; resets on success.
HMAC-SHA256 signing secret for this endpoint. Shown only in
this response — it is stored encrypted and cannot be
retrieved again. Use it to verify the X-GrowDental-Signature
header on every delivery.