Skip to content

Webhooks

A webhook POSTs every matching event to a URL you control. Everything you need to configure one — URL, secret, event filter, retries, control mode — lives in the dashboard’s Project Settings → Webhooks panel.

Open Project Settings → Webhooks in the dashboard. Each subscriber is a card with all its fields inline; saves take effect on the next run.

The Project Settings → Webhooks panel: Hook Events toggle and Rate limit (ms) at the top of the EVENT SYSTEM section, then the WEBHOOKS section with a Webhook 1 card containing URL, SECRET (HMAC signing), EVENT PATTERNS (set to pipeline.*), TIMEOUT (10000) / RETRIES (3) / RATE LIMIT (1000) fields, a Control Webhook sl-switch (off) with the description "Allow this webhook to control the pipeline (requires non-empty secret)", and Test / Remove buttons. Add Webhook + Save / Reset buttons sit beneath.

Per subscriber:

FieldWhat it does
URLThe endpoint that receives the POST. Required.
SecretHMAC signing secret. Routed to settings.local.json (gitignored) — see Secrets.
Event PatternsComma-separated fnmatch patterns (pipeline.run.*, workspace.*, a bare *). Empty means all events.
Timeout / Retries / Rate LimitDelivery limits per subscriber.
Control WebhookToggle that promotes this subscriber to a synchronous control endpoint (see below).
TestSends a one-shot ping so you can confirm delivery without launching a pipeline.

Above the subscriber list, the Event System controls let you toggle event emission as a whole (Events Enabled), include high-volume per-tool telemetry (Agent Telemetry), include hook governance events (Hook Events), and set the global Rate Limit (ms) — the minimum interval between same-event-type sends per webhook.

Each POST carries headers you can route and verify on:

HeaderValue
X-Worca-Eventthe event_type string
X-Worca-Deliverythe event_id (UUID) — use it to dedupe
X-Worca-Signaturesha256=<hex> — present only when a secret is set

When a secret is configured, worca signs the body with HMAC-SHA256 and sends it in X-Worca-Signature. Verify it with a timing-safe comparison — recompute the HMAC over the raw request body with your shared secret and compare against the header. Never compare with a plain ==.

Flip the Control Webhook switch on a subscriber to promote it from one-way delivery to a synchronous control endpoint. The switch is gated by the Secret field — without a non-empty signing secret it stays inert; the inline description in the screenshot above spells out the contract.

When enabled, the pipeline calls control webhooks synchronously at milestones and reads an action from the JSON response body:

{ "control": { "action": "pause" } }

The action is pause, abort, or continue — letting an external system gate the pipeline, for example holding a run until a deploy window opens. (Only the response shape — what your endpoint must return — needs JSON here; everything on worca’s side is the UI toggle plus secret.)