Create a webhook endpoint
This guide walks you through registering an HTTPS endpoint to receive MapleGather webhook events, storing the HMAC signing secret, and verifying that your receiver is correctly set up.
Who can do this: Admins with the webhooks:write scope.
Before you start
Section titled “Before you start”- You need a publicly reachable HTTPS endpoint on your server. HTTP endpoints are not accepted.
- Your server must be able to verify HMAC-SHA256 signatures. See How HMAC webhook signing works for the verification algorithm.
- Decide which event types you need. The M1 catalog is:
member.created,payment.succeeded,event_registration.confirmed.
- Go to Admin & Security > Integrations > Webhooks.
- Select New endpoint.
- In the Delivery URL field, enter your HTTPS endpoint URL. If you enter an HTTP URL, the form blocks saving with the error “HTTPS required for webhook targets.”
- Under Events, check each event type your endpoint should receive. You must select at least one.
- Leave API version set to v1 unless you have a specific reason to pin a different version.
- Select Create endpoint.
The HMAC signing secret is shown exactly once. Read the warning, copy the secret now, and store it securely (for example, in your secrets manager). Select I’ve stored it safely to close the reveal. If the copy button fails, the secret field stays selectable — select all the text and copy it manually.
After the reveal closes, a verification guidance panel appears. It shows the algorithm for confirming that events came from MapleGather:
- Recompute
HMAC-SHA256over the string<X-Webhook-Timestamp>.<raw request body>. - Compare the result to the value in the
X-Webhook-Signatureheader. - Reject the delivery if the
X-Webhook-Timestampis more than five minutes old (replay defense).
- Optionally, select Send a test event to dispatch a signed
pingdelivery to your endpoint. The screen polls for the delivery outcome and shows “Delivered ✓” or “Failed — {HTTP status}” so you can confirm your receiver is working before production events arrive. - Select I’ve stored it safely to finish.
Verify
Section titled “Verify”Your new endpoint appears in the Webhooks list with an “Active” status badge and the event types you selected. The HMAC secret is not shown again in the list.
After a test event: the test result shows “Delivered ✓” if your receiver returned a 2xx status.
If something goes wrong
Section titled “If something goes wrong”- “HTTPS required for webhook targets” error — your URL must use
https://. Update the URL and try again. - The signing secret was not shown (degraded reveal) — if the create response could not carry the signing secret in this build, you’ll see “Signing secret unavailable in this build — rotate or retrieve it via support before relying on signature verification.” Your endpoint is still created and active. Use ⋮ > Rotate secret (
webhook_secrets_rotate) to issue a freshwhsec_…secret in place — the endpoint and its subscriptions are preserved. Contact support if rotation also fails. - The test event failed — check your receiver logs for the HTTP status code shown in the result. See Webhook deliveries failing or dead.
- HMAC verification is failing on your receiver — see HMAC signature verification failing.