search
Go to website

globe-pointerWebhooks

Configure webhook destinations, event subscriptions, signature verification, and secret rotation.

Receive real-time notifications about events during client interactions with Amigo.

circle-info

Classic API - These webhook endpoints are organization-scoped under the Classic API at api.amigo.ai.

circle-info

Real-time Events Webhooks enable your application to react immediately to conversation events, post-processing completions, and other system activities.

hashtag
Webhook Destinations

Feature
Details

Maximum Destinations

10 per organization

Event Filtering

Specify which event types to receive

Retry Configuration

Customize retry attempts for failed deliveries

Secret Management

Unique secret per destination for security

hashtag
Managing Webhook Destinations

Use these endpoints to manage your webhook destinations

hashtag
Create a webhook destination

post
/v1/{organization}/webhook_destination/

Create a new webhook destination. At most 10 webhook destinations can be defined per organization.

A secret will immediately be issued for the webhook destination. Every webhook sent to this destination will be signed using this secret. This secret is one-view only and cannot be retrieved later.

Permissions

This endpoint requires the following permissions:

  • Webhook:CreateWebhookDestination for the webhook destination.
Authorizations
AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters
organizationstringRequired
Header parameters
x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Body
urlstring · uri · min: 1Required

The URL to which the webhook will be sent. The URL must be in HTTPS.

retry_attemptsinteger · max: 5Optional

The number of attempts to retry sending the webhook event in case of failure.

Default: 3
Responses
post
/v1/{organization}/webhook_destination/

hashtag
Delete a webhook destination

delete
/v1/{organization}/webhook_destination/{webhook_destination_id}

Remove a webhook destination from the organization. The webhook destination might still be active for a few seconds after this endpoint returns.

Permissions

This endpoint requires the following permissions:

  • Webhook:DeleteWebhookDestination for the webhook destination.
Authorizations
AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters
webhook_destination_idstringRequired

The identifier of the webhook destination to update.

Pattern: ^[a-f0-9]{24}$
organizationstringRequired
Header parameters
x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Responses
delete
/v1/{organization}/webhook_destination/{webhook_destination_id}
No content

hashtag
Get webhook destinations

get
/v1/{organization}/webhook_destination/

Retrieve this organization's webhook destinations.

Permissions

This endpoint may be impacted by the following permissions:

  • Webhook:GetWebhookDestination on the webhook destinations to retrieve.
Authorizations
AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters
organizationstringRequired
Query parameters
idstring[]Optional

The IDs of the webhook destinations to retrieve.

Default: []
Header parameters
x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Responses
chevron-right
200

Succeeded.

application/json
get
/v1/{organization}/webhook_destination/

hashtag
Update a webhook destination

post
/v1/{organization}/webhook_destination/{webhook_destination_id}

Update certain configs for a webhook destination. The changes will only take effect a few seconds after this endpoint returns.

The URL of a webhook destination cannot be changed. Use Create a webhook destination instead.

Permissions

This endpoint requires the following permissions:

  • Webhook:UpdateWebhookDestination for the webhook destination.
Authorizations
AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters
webhook_destination_idstringRequired

The identifier of the webhook destination to update.

Pattern: ^[a-f0-9]{24}$
organizationstringRequired
Header parameters
x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Body
retry_attemptsany ofOptional

The number of attempts to retry sending the webhook event in case of failure. If not specified, this field is not updated.

integer · max: 5Optional
or
nullOptional
accepted_typesany ofOptional

A list of webhook types to receive. If not specified, this field is not updated.

or
nullOptional
Responses
post
/v1/{organization}/webhook_destination/{webhook_destination_id}
No content
circle-info

URL Cannot Be Changed The URL of a webhook destination cannot be updated. To change the URL, create a new webhook destination and delete the old one.

hashtag
Rotate the secret of a webhook destination

post
/v1/{organization}/webhook_destination/{webhook_destination_id}/rotate-secret

Replace the secret for the given webhook destination. The new secret will be returned and cannot be retrieved later.

Until the dual_signing_stops_at timestamp in the response, which is roughly 30 minutes after the generation of the new secret, the webhook will be signed by both the old and the new secret. This allows the webhook consumer to transition to the new secret without downtime.

The webhook rotation can occur at most once per hour for each webhook destination.

Permissions

This endpoint requires the following permissions:

  • Webhook:UpdateWebhookDestination for the webhook destination.
Authorizations
AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters
webhook_destination_idstringRequired

The ID for the webhook destination to rotate the secret for.

Pattern: ^[a-f0-9]{24}$
organizationstringRequired
Header parameters
x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Responses
chevron-right
200

Succeeded.

application/json
secretstringRequired

The new secret used to sign the webhook event. This is only visible once and cannot be retrieved later. For the next 30 minutes, the webhook will be signed by both the old and the new secret.

dual_signing_stops_atstring · date-timeRequired

A UTC time where the dual-signing behavior stops. After this time, webhooks will only be signed using the new secret from this endpoint.

post
/v1/{organization}/webhook_destination/{webhook_destination_id}/rotate-secret
circle-info

Rate Limit Secret rotation can occur at most once per hour for each webhook destination.

hashtag
Get webhook deliveries

get
/v1/{organization}/webhook_destination/{webhook_destination_id}/delivery

Retrieve the webhook deliveries to a webhook destination.

Permissions

This endpoint may be impacted by the following permissions:

  • Webhook:GetWebhookDeliveries on the webhook deliveries to retrieve.
Authorizations
AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters
webhook_destination_idstringRequired

The ID of the webhook destination whose deliveries to retrieve.

Pattern: ^[a-f0-9]{24}$
organizationstringRequired
Query parameters
statusany ofOptional

The status of the webhook delivery.

string · enumOptionalPossible values:
or
nullOptional
typeany ofOptional

The type of the webhook.

stringOptional
or
nullOptional
created_afterany ofOptional

An ISO8601 timestamp in UTC of the earliest creation time of the webhook deliveries to retrieve.

string · date-timeOptional
or
nullOptional
created_beforeany ofOptional

An ISO8601 timestamp in UTC of the latest creation time of the webhook deliveries to retrieve.

string · date-timeOptional
or
nullOptional
limitinteger · max: 50Optional

The maximum number of webhook deliveries to retrieve.

Default: 50
continuation_tokenintegerOptional

The token from the previous request to return the next page of webhook deliveries.

Default: 0
sort_bystring[]Optional

The fields to sort the sets by. Supported fields are type, status, and created_at. Specify a + before the field name to indicate ascending sorting and - for descending sorting. Multiple fields can be specified to break ties.

Default: []
Header parameters
x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional
or
nullOptional
Sec-WebSocket-Protocolstring[]OptionalDefault: []
Responses
chevron-right
200

Succeeded.

application/json
has_morebooleanRequired

Whether there are more webhook deliveries to retrieve.

continuation_tokenany ofRequired

A token to supply to the next request to retrieve the next page of webhook deliveries. Only populated if has_more is True.

integerOptional
or
nullOptional
get
/v1/{organization}/webhook_destination/{webhook_destination_id}/delivery

hashtag
Delivery & Retries

circle-exclamation

Automatic Retry Logic Failed webhook deliveries are automatically retried with exponential backoff to ensure reliable event delivery.

Retry Attempt
Delay
Total Time

Initial

0s

Immediate

Retry 1

5s

5s

Retry 2

10s

15s

Retry 3

20s

35s

Retry 4

20s

55s

  • Configure retry attempts via retry_attempts parameter

  • View delivery history for past 30 days via API

hashtag
Delivery Sequence

spinner

hashtag
Security

hashtag
Webhook Signatures

Every webhook request is cryptographically signed to ensure authenticity.

triangle-exclamation

Secret Storage Store webhook secrets securely. Never commit them to version control or expose them in client-side code.

Signature Process:

  1. Receive secret when creating webhook destination

  2. Amigo signs all requests with HMAC-SHA256

  3. Validate signature on receipt to verify authenticity

hashtag
Request Headers

Header
Description

x-amigo-idempotent-key

Unique identifier persisting through retries for deduplication

x-amigo-request-timestamp

UNIX timestamp (milliseconds) of the delivery attempt

x-amigo-request-signature

HMAC-SHA256 signature of v1:{timestamp}:{body}

hashtag
Signature Verification

hashtag
Secret Rotation

circle-check

Zero-Downtime Rotation Dual-signing period allows smooth secret rotation without missing events.

Rotation Process:

Step
Action
Duration

1

Call rotation endpoint

Immediate

2

Receive new secret

Immediate

3

Dual-signing begins

30 minutes

4

Update verification logic

During dual-signing

5

Old secret expires

After dual_signing_stops_at

During dual-signing period:

  • Amigo sends two signatures per request

  • Accept either old or new signature

  • No webhook deliveries are lost

hashtag
Rotation States

spinner

hashtag
Webhook Event Types

hashtag
API Key Events

hashtag
api-key-expiration-soon

Triggered when an API key is approaching its expiration date. Notifications fire at 14, 7, and 1 day before expiration, enabling proactive key rotation and preventing service disruptions.

Payload structure:

circle-check

Proactive Key Rotation Subscribe to this event to automate key rotation workflows. Create a new API key, transition your applications, and revoke the expiring key before it becomes invalid.

hashtag
Post-Processing Events

hashtag
conversation-post-processing-complete

Triggered when asynchronous post-processing analysis completes for a conversation.

circle-info

Asynchronous Processing Post-processing runs after conversations end, performing deep analysis without blocking the user experience.

Payload structure:

Post-Processing Types:

Type
Description
Purpose

generate-user-models

Updates L2 user model with conversation insights

Enhanced personalization

extract-memories

Stores key information as L1 observations

Future context recall

compute-metrics

Calculates performance metrics

Quality and effectiveness measurement

chevron-rightProcessing Architecturehashtag

  • Live Sessions: Handle real-time interaction

  • Post-Processing: Performs deep analysis after conversation

  • No Blocking: User experience remains responsive

  • Async Updates: Memories, models, and metrics updated in background

PreviousCommon Query PatternsNextPermissions

Last updated

Was this helpful?