Documentation
All documentation

Account and operations

Use API keys and signed webhooks

Create scoped integration credentials, verify signed webhook deliveries, and operate integrations without exposing secrets.

For
Workspace owners, admins, and integration developers
Typical time
15 minutes
Open integrations settings

Before you start

  • An eligible plan and workspace role
  • A secure secret manager for credentials

Procedure

Step by step

  1. Create a named API key

    Use a purpose-specific name. Copy the plaintext value immediately and store it in a secret manager; the full value is not shown again.

  2. Configure a webhook endpoint

    Use HTTPS in production, select only required events, and store the signing secret securely.

  3. Verify every delivery

    Validate the timestamped HMAC signature against the raw request body, enforce the allowed time window, and reject mismatches before parsing or acting.

  4. Test, observe, and rotate

    Send a test event, inspect delivery status, rotate exposed secrets, and revoke unused keys. Do not place credentials in browser code or logs.

Delivery safety

Webhook retries can repeat an event, so consumers should be idempotent. Treat payloads as workspace data and avoid logging document content, private URLs, tokens, or credentials.