Skip to main content
Webhooks let you receive real-time HTTP notifications when events happen in your team — sessions created, status changes, comments, and more. Configure webhook endpoints per team, and Already will POST signed JSON payloads to your URL.

Setup

Use the webhook API endpoints to register a webhook URL for your team. You can subscribe to specific event types or receive all events. 
POST /api/webhooks

{
  "name": "My webhook",
  "url": "https://example.com/webhook",
  "event_types": ["session.created", "session.status_changed"],
  "secret": "your-signing-secret"
}

Payload structure

Every webhook delivery has the same top-level structure.
event
string
required
The event type (e.g. session.created)
timestamp
string
required
ISO 8601 timestamp of when the event occurred
delivery_id
string
required
Unique ID for this delivery (UUID)
data
object
required
Event-specific payload (see event types)
{
  "event": "session.created",
  "timestamp": "2026-02-09T12:00:00.000Z",
  "delivery_id": "550e8400-e29b-41d4-a716-446655440000",
  "data": {
    "session": { "..." },
    "created_by": null
  }
}

Signature verification

Each delivery includes an HMAC-SHA256 signature computed with your webhook secret.
HeaderDescription
X-Webhook-Signaturesha256=<hex-digest> — HMAC-SHA256 of the raw request body using your secret
X-Webhook-TimestampUnix timestamp (seconds) of when the payload was signed

Verification steps

1

Read the raw body

Read the raw request body (do not parse JSON first).
2

Compute HMAC

Compute HMAC-SHA256 of the body using your webhook secret.
3

Compare signatures

Compare with the signature in X-Webhook-Signature (after stripping the sha256= prefix).
4

Check timestamp

Verify that X-Webhook-Timestamp is within 5 minutes of the current time.

Delivery and retries

Already expects a 2xx response within 30 seconds. Failed deliveries are retried up to 3 times with exponential backoff:
RetryDelay
11 second
25 seconds
330 seconds