Webhooks API

Webhooks allow you to receive real-time notifications when users enter or exit segments. Cipres uses a transactional outbox pattern to ensure reliable delivery.

Events

Event Description
user_added Fired when a user matches a segment
user_removed Fired when a user no longer matches a segment

Webhook Payload

When an event occurs, Cipres sends a POST request to your webhook URL with this payload:

Event Payload 
{
  "event_type": "user_added",
  "timestamp": "2024-01-22T17:30:00Z",
  "pipeline_id": 3,
  "segment": {
    "id": "seg_abc123",
    "name": "Frustrated Users"
  },
  "user": {
    "id": "user_001",
    "score": 0.95
  }
}

Request Headers

Webhook Headers
Content-Type required
string

Always application/json.

X-Webhook-Signature
string

HMAC-SHA256 signature of the request body (if secret is configured).

X-Event-ID required
string

Unique identifier for the event. Use for idempotency.

X-Event-Type required
string

The event type: user_added or user_removed.

Verifying Signatures

If you configure a secret when creating the webhook, Cipres will sign each request using HMAC-SHA256. Compute the HMAC-SHA256 of the raw request body using your webhook secret and compare it against the X-Webhook-Signature header to ensure requests are authentic.

API Endpoints

Create Webhook

POST https://cipres.tech/projects/{project_id}/pipelines/{pipeline_id}/webhooks
Request Body
url required
string

The HTTPS URL that will receive webhook events.

secret
string

Secret used to sign webhook payloads with HMAC-SHA256. Recommended for security.

events
array

Events to subscribe to. Defaults to all events: ["user_added", "user_removed"].

Example Request 
{
  "url": "https://your-app.com/webhooks/cipres",
  "secret": "whsec_your_webhook_secret",
  "events": ["user_added", "user_removed"]
}

Responses

{
  "id": 1,
  "pipeline_id": 3,
  "url": "https://your-app.com/webhooks/cipres",
  "events": ["user_added", "user_removed"],
  "is_active": true,
  "created_at": "2024-01-22T17:00:00Z",
  "updated_at": "2024-01-22T17:00:00Z"
}

List Webhooks

GET https://cipres.tech/projects/{project_id}/pipelines/{pipeline_id}/webhooks

Returns all webhooks configured for the pipeline.

Responses

[
  {
    "id": 1,
    "pipeline_id": 3,
    "url": "https://your-app.com/webhooks/cipres",
    "events": ["user_added", "user_removed"],
    "is_active": true,
    "created_at": "2024-01-22T17:00:00Z",
    "updated_at": "2024-01-22T17:00:00Z"
  }
]

Get Webhook

GET https://cipres.tech/projects/{project_id}/pipelines/{pipeline_id}/webhooks/{webhook_id}

Returns a single webhook by ID.

Update Webhook

PUT https://cipres.tech/projects/{project_id}/pipelines/{pipeline_id}/webhooks/{webhook_id}
Request Body
url
string

The HTTPS URL that will receive webhook events.

secret
string

Secret used to sign webhook payloads with HMAC-SHA256.

events
array

Events to subscribe to: ["user_added", "user_removed"].

is_active
boolean

Enable or disable the webhook.

Example Request 
{
  "url": "https://your-app.com/webhooks/cipres",
  "secret": "whsec_new_secret",
  "events": ["user_added", "user_removed"],
  "is_active": true
}

Delete Webhook

DELETE https://cipres.tech/projects/{project_id}/pipelines/{pipeline_id}/webhooks/{webhook_id}

Permanently deletes a webhook. This action cannot be undone.

List Deliveries

GET https://cipres.tech/projects/{project_id}/pipelines/{pipeline_id}/webhooks/{webhook_id}/deliveries

View recent delivery attempts for a webhook. Useful for debugging. Accepts an optional limit query parameter (1-200, default: 50).

Example Response 
[
  {
    "id": 123,
    "event_id": 456,
    "webhook_id": 1,
    "status": "success",
    "status_code": 200,
    "response_body": "OK",
    "duration_ms": 145,
    "created_at": "2024-01-22T17:30:00Z"
  },
  {
    "id": 122,
    "event_id": 455,
    "webhook_id": 1,
    "status": "failed",
    "status_code": 500,
    "response_body": "Internal server error",
    "duration_ms": 2034,
    "created_at": "2024-01-22T17:25:00Z"
  }
]

Retry Policy

Failed deliveries are automatically retried up to 5 times with exponential backoff. A delivery is considered failed if:

  • The endpoint returns a non-2xx status code
  • The connection times out (10 second limit)
  • The endpoint is unreachable
Attempt Delay
1st retry 1 minute
2nd retry 5 minutes
3rd retry 30 minutes
4th retry 2 hours
5th retry 24 hours

Best Practices

  • Respond quickly — Return a 200 response within 10 seconds
  • Process asynchronously — Queue webhook events for background processing
  • Verify signatures — Always validate the X-Webhook-Signature header
  • Handle duplicates — Use the X-Event-ID header for idempotency
  • Use HTTPS — Webhook URLs must use HTTPS for security