Skip to content

Create a webhook endpoint

This guide walks you through registering an HTTPS endpoint to receive MapleGather webhook events, storing the HMAC signing secret, and verifying that your receiver is correctly set up.

Who can do this: Admins with the webhooks:write scope.

  • You need a publicly reachable HTTPS endpoint on your server. HTTP endpoints are not accepted.
  • Your server must be able to verify HMAC-SHA256 signatures. See How HMAC webhook signing works for the verification algorithm.
  • Decide which event types you need. The M1 catalog is: member.created, payment.succeeded, event_registration.confirmed.
  1. Go to Admin & Security > Integrations > Webhooks.
  2. Select New endpoint.
  3. In the Delivery URL field, enter your HTTPS endpoint URL. If you enter an HTTP URL, the form blocks saving with the error “HTTPS required for webhook targets.”
  4. Under Events, check each event type your endpoint should receive. You must select at least one.
  5. Leave API version set to v1 unless you have a specific reason to pin a different version.
  6. Select Create endpoint.

The HMAC signing secret is shown exactly once. Read the warning, copy the secret now, and store it securely (for example, in your secrets manager). Select I’ve stored it safely to close the reveal. If the copy button fails, the secret field stays selectable — select all the text and copy it manually.

After the reveal closes, a verification guidance panel appears. It shows the algorithm for confirming that events came from MapleGather:

  • Recompute HMAC-SHA256 over the string <X-Webhook-Timestamp>.<raw request body>.
  • Compare the result to the value in the X-Webhook-Signature header.
  • Reject the delivery if the X-Webhook-Timestamp is more than five minutes old (replay defense).
  1. Optionally, select Send a test event to dispatch a signed ping delivery to your endpoint. The screen polls for the delivery outcome and shows “Delivered ✓” or “Failed — {HTTP status}” so you can confirm your receiver is working before production events arrive.
  2. Select I’ve stored it safely to finish.

Your new endpoint appears in the Webhooks list with an “Active” status badge and the event types you selected. The HMAC secret is not shown again in the list.

After a test event: the test result shows “Delivered ✓” if your receiver returned a 2xx status.

  • “HTTPS required for webhook targets” error — your URL must use https://. Update the URL and try again.
  • The signing secret was not shown (degraded reveal) — if the create response could not carry the signing secret in this build, you’ll see “Signing secret unavailable in this build — rotate or retrieve it via support before relying on signature verification.” Your endpoint is still created and active. Use ⋮ > Rotate secret (webhook_secrets_rotate) to issue a fresh whsec_… secret in place — the endpoint and its subscriptions are preserved. Contact support if rotation also fails.
  • The test event failed — check your receiver logs for the HTTP status code shown in the result. See Webhook deliveries failing or dead.
  • HMAC verification is failing on your receiver — see HMAC signature verification failing.