Webhooks API Reference
Webhooks let OilPriceAPI deliver events to your HTTPS endpoint. Use this API-reference page for endpoint mechanics, and the Webhooks Guide for full signing, retry, and cookbook examples.
Lifecycle
- Create a webhook endpoint.
- Receive events.
- Verify HMAC-SHA256 signature.
- Return a fast 2xx response.
- Inspect delivery history and retry failures.
- Test, update, or delete the endpoint.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /v1/webhooks | List webhooks |
| POST | /v1/webhooks | Create webhook |
| GET | /v1/webhooks/:id | Get webhook |
| PUT/PATCH | /v1/webhooks/:id | Update webhook |
| DELETE | /v1/webhooks/:id | Delete webhook |
| GET | /v1/webhooks/:id/events | Delivery/event history |
| POST | /v1/webhooks/:id/test | Send test event |
Signature Verification
Every production webhook receiver should verify signatures before parsing business data.
import crypto from "node:crypto";
function verifyWebhook(payload, timestamp, signature, secret) {
const message = `${payload}.${timestamp}`;
const expected = crypto.createHmac("sha256", secret).update(message).digest("hex");
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
}
Reject stale timestamps outside your replay window, usually 5 minutes. Store event ids such as evt_... for idempotency.
Event Payload
{
"id": "evt_123",
"type": "price.updated",
"created_at": "2026-07-15T14:30:00Z",
"data": {
"code": "WTI_USD",
"price": 74.52,
"currency": "USD",
"created_at": "2026-07-15T14:30:00Z"
}
}
Error Cases
| Status | When |
|---|---|
400 | Invalid URL, event type, or payload |
401 | Missing or invalid API key |
404 | Webhook id not found |
422 | Validation failed |
429 | Rate limit exceeded |