Sources

Manage webhook sources — your inbound endpoints that receive events.

Sources are your webhook ingestion endpoints. Each source gets a unique URL at /v1/ingest/<source_id> where external services send webhooks. Sources support optional HMAC signature verification, deduplication strategies, and IP allow/deny lists.

hookstream ships with 15 pre-configured source templates for popular providers (Stripe, GitHub, Shopify, Twilio, etc.). Use the templates endpoint to pre-fill verification settings.

List Sources

GET /v1/sources

List all sources for the authenticated organization in the current project.

Authentication: API key or session cookie.

Query Parameters

cursor string

Cursor for pagination. Pass the cursor value from the previous response.

limit number default: 20

Number of results to return (max 100).

bash
curl https://hookstream.io/v1/sources \
  -H "X-API-Key: $HOOKSTREAM_API_KEY"

json
{
  "sources": [
    {
      "id": "src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
      "name": "Stripe Webhooks",
      "verification_type": "hmac_sha256",
      "dedup_strategy": "payload_hash",
      "ip_allowlist": null,
      "ip_denylist": null,
      "event_count": 1542,
      "created_at": "2026-02-28T10:00:00Z",
      "updated_at": "2026-03-01T08:30:00Z"
    }
  ],
  "cursor": "eyJpZCI6InNyY18uLi4ifQ",
  "has_more": false
}

Create Source

POST /v1/sources

Create a new source. Returns the source with its ingestion URL.

Authentication: API key or session cookie.

Body Parameters

name string required

Display name for the source.

slug string required

URL-safe slug for the source (e.g., "my-source").

verification_type string

Signature verification method: hmac_sha256, hmac_sha1, standard_webhooks, or null.

verification_secret string

Secret used for signature verification. Required if verification_type is set.

dedup_strategy string

Deduplication strategy: payload_hash, header_field, body_field, or null.

ip_allowlist string[]

Array of allowed IP addresses or CIDR ranges.

ip_denylist string[]

Array of denied IP addresses or CIDR ranges.

bash
curl -X POST https://hookstream.io/v1/sources \
  -H "X-API-Key: $HOOKSTREAM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Stripe Webhooks",
    "slug": "stripe-webhooks",
    "verification_type": "hmac_sha256",
    "verification_secret": "whsec_abc123def456",
    "dedup_strategy": "payload_hash"
  }'

json
{
  "id": "src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
  "name": "Stripe Webhooks",
  "verification_type": "hmac_sha256",
  "dedup_strategy": "payload_hash",
  "ip_allowlist": null,
  "ip_denylist": null,
  "url": "https://hookstream.io/v1/ingest/src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
  "created_at": "2026-03-01T12:00:00Z"
}

Retrieve Source

GET /v1/sources/:id

Get a single source by ID.

Authentication: API key or session cookie.

bash
curl https://hookstream.io/v1/sources/src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 \
  -H "X-API-Key: $HOOKSTREAM_API_KEY"

json
{
  "id": "src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
  "name": "Stripe Webhooks",
  "verification_type": "hmac_sha256",
  "dedup_strategy": "payload_hash",
  "ip_allowlist": null,
  "ip_denylist": null,
  "event_count": 1542,
  "url": "https://hookstream.io/v1/ingest/src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
  "created_at": "2026-02-28T10:00:00Z",
  "updated_at": "2026-03-01T08:30:00Z"
}

Update Source

PATCH /v1/sources/:id

Update a source. All fields are optional.

Authentication: API key or session cookie.

Body Parameters

name string

Updated display name.

verification_type string

Updated verification method.

verification_secret string

Updated verification secret.

bash
curl -X PATCH https://hookstream.io/v1/sources/src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 \
  -H "X-API-Key: $HOOKSTREAM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Stripe Production Webhooks"}'

json
{
  "id": "src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
  "name": "Stripe Production Webhooks",
  "verification_type": "hmac_sha256",
  "dedup_strategy": "payload_hash",
  "updated_at": "2026-03-01T15:00:00Z"
}

Delete Source

DELETE /v1/sources/:id

Delete a source. Events and connections referencing this source are not deleted.

Authentication: API key or session cookie.

bash
curl -X DELETE https://hookstream.io/v1/sources/src_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 \
  -H "X-API-Key: $HOOKSTREAM_API_KEY"

json
{ "success": true }

List Source Templates

GET /v1/sources/templates

List pre-configured source templates for popular webhook providers.

Authentication: API key or session cookie.

bash
curl https://hookstream.io/v1/sources/templates \
  -H "X-API-Key: $HOOKSTREAM_API_KEY"

json
{
  "templates": [
    {
      "id": "stripe",
      "name": "Stripe",
      "verification_type": "hmac_sha256",
      "description": "Receive Stripe webhook events with HMAC-SHA256 signature verification."
    },
    {
      "id": "github",
      "name": "GitHub",
      "verification_type": "hmac_sha256",
      "description": "Receive GitHub webhook events with HMAC-SHA256 signature verification."
    }
  ]
}
Ingest

Send webhooks to a source's public URL.

Learn More
Connections

Link sources to destinations.

Learn More
Previous Pagination & Rate Limits
Next Destinations
Ask a question... ⌘I