Handle webhooks | Reventlov

Create an endpoint:

$ curl -X POST $API/api/v1/webhook-endpoints \
>   -H "Authorization: Bearer $REVENTLOV_API_KEY" \
>   -d '{"url":"https://example.com/hooks","events":["directive.issued"]}'

Save the returned secret — you’ll use it to verify signatures.
On your server, verify:

1 import { createHmac, timingSafeEqual } from 'node:crypto';
2 
3 export function verify(req: Request, raw: string, secret: string) {
4   const h = req.headers.get('x-reventlov-signature') ?? '';
5   const [tPart, vPart] = h.split(',');
6   const t = Number(tPart.split('=')[1]);
7   const sig = vPart.split('=')[1];
8   const expected = createHmac('sha256', secret).update(`${t}.${raw}`).digest('hex');
9   return timingSafeEqual(Buffer.from(expected), Buffer.from(sig));
10 }

Reject if the timestamp is older than 5 minutes to prevent replay.

Event types

Every state-changing customer action in the dashboard fans out one of these signed events. Subscribe to the ones you care about, or leave events: [] on your endpoint to receive all of them.

Companies

event	when it fires
`company.created`	A company is created via onboarding or `/api/v1/companies`
`company.updated`	Company fields are mutated
`company.dissolved`	Company is dissolved
`company.formation.step_completed`	A formation milestone is recorded

Agents

event	when it fires
`agent.linked`	A new agent is created (dashboard, `/api/v1/agents`, or onboarding)
`agent.updated`	An agent’s name, provider, model, phone, or email is changed
`agent.paused` / `agent.resumed`	The agent (or its case binding on a company) is paused/resumed
`agent.unlinked`	An agent is detached from a company

Filings & compliance

event	when it fires
`filing.due`	A new open filing is created
`filing.submitted`	An open filing is marked submitted
`compliance.resynced`	The compliance matrix is reseeded for a company

API keys

event	when it fires
`api_key.created`	A new API key is minted
`api_key.revoked`	An API key is revoked

Case & legal team

event	when it fires
`case.comment_posted`	A customer or staff comment is added to a case
`directive.issued` / `directive.suspended` / `directive.resolved`	Directive lifecycle

Treasury & bank

event	when it fires
`bank.connected` / `bank.connection.linked`	A Mercury (or other provider) connection is configured
`bank.connection.secret_configured`	The connection’s API token is stored
`bank.connection.disconnected`	A connection is removed
`bank.transaction.posted`	A new transaction is ingested
`bank.balance.updated`	The cash balance snapshot is refreshed
`bank.approval.required`	A wire crosses an approval threshold
`mercury.sync_completed`	A manual Mercury sync finished
`financial.snapshot.updated`	A periodic financial snapshot is checkpointed

Agent runtime

event	when it fires
`agent.action.logged` / `completed` / `failed` / `blocked`	Action lifecycle from the agent runtime
`agent.approval.requested` / `decided`	Operator approval flow
`agent.flag.created` / `resolved`	Operator-raised flags
`openclaw.runtime.snapshot.updated`	OpenClaw runtime checkpoint

Webhook hygiene

event	when it fires
`webhook_endpoint.failing`	An endpoint has had repeated delivery failures

Every event payload includes id, type, created_at, account_id, optional company_id, and a data object with the affected record. The full delivery is signed (x-reventlov-signature) and recorded in Activity at /dashboard/logs and Webhooks → Recent deliveries at /dashboard/settings/webhooks.