> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gaintrace.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a webhook

> Register a webhook subscription. The signing `secret` is returned only in this response.

**Scope:** `write:webhooks`



## OpenAPI

````yaml /openapi.json post /webhooks
openapi: 3.1.0
info:
  title: GainTrace API
  version: 1.0.0
  description: >-
    The GainTrace REST API (v1). Read your customer data and push product-usage
    events, metric events, and signals into GainTrace.


    All endpoints are authenticated with a Bearer API key and scoped to a single
    workspace.
servers:
  - url: https://app.gaintrace.com/api/v1
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Companies
    description: Read and manage canonical company records.
  - name: Signals
    description: Read, create, and manage buyer / risk signals.
  - name: Ingest
    description: Push product-usage and metric events into GainTrace.
  - name: Contacts
    description: Read and manage the people on an account.
  - name: Webhooks
    description: Subscribe to workspace events with signed, retried delivery.
paths:
  /webhooks:
    post:
      tags:
        - Webhooks
      summary: Create a webhook
      description: >-
        Register a webhook subscription. The signing `secret` is returned only
        in this response.


        **Scope:** `write:webhooks`
      operationId: createWebhook
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WebhookCreate'
      responses:
        '201':
          description: Webhook created (includes the one-time secret).
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    $ref: '#/components/schemas/WebhookCreated'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '402':
          $ref: '#/components/responses/PlanLimit'
        '403':
          $ref: '#/components/responses/Forbidden'
        '429':
          $ref: '#/components/responses/RateLimited'
components:
  schemas:
    WebhookCreate:
      type: object
      required:
        - url
        - events
      properties:
        url:
          type: string
          format: uri
          maxLength: 500
          description: HTTPS only; may not resolve to a private/reserved address.
        events:
          type: array
          minItems: 1
          items:
            anyOf:
              - $ref: '#/components/schemas/WebhookEvent'
              - const: '*'
          description: Subscribed events, or `["*"]`.
        headers:
          type: object
          additionalProperties:
            type: string
          description: >-
            Optional custom headers (e.g. an auth token). Reserved/signing
            headers are rejected. Max 20, 4KB total.
        description:
          type:
            - string
            - 'null'
          maxLength: 255
    WebhookCreated:
      allOf:
        - $ref: '#/components/schemas/Webhook'
        - type: object
          properties:
            secret:
              type: string
              description: The signing secret, returned ONCE. Store it now.
    WebhookEvent:
      type: string
      enum:
        - company.created
        - company.updated
        - contact.created
        - contact.updated
        - contact.deleted
        - signal.created
        - member.invited
        - member.joined
    Webhook:
      type: object
      properties:
        id:
          type: string
          format: uuid
        url:
          type: string
          format: uri
        events:
          type: array
          items:
            type: string
          description: Subscribed events, or `["*"]` for all.
        active:
          type: boolean
        description:
          type:
            - string
            - 'null'
        headers:
          type: object
          additionalProperties:
            type: string
          description: >-
            Custom headers sent with each delivery. Values are redacted (`***`)
            in responses.
        secretPrefix:
          type: string
          description: >-
            First chars of the signing secret. Full secret is returned only at
            creation.
        consecutiveFailures:
          type: integer
        disabledAt:
          type:
            - string
            - 'null'
          format: date-time
          description: Set when auto-disabled after sustained failures.
        lastSuccessAt:
          type:
            - string
            - 'null'
          format: date-time
        createdAt:
          type: string
          format: date-time
        updatedAt:
          type: string
          format: date-time
    Error:
      type: object
      properties:
        error:
          type: string
          description: Human-readable, safe error message.
        detail:
          type: string
        code:
          type: string
      required:
        - error
  responses:
    BadRequest:
      description: Invalid request body or parameters.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: Missing or invalid API key.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    PlanLimit:
      description: Plan limit reached for this resource.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Forbidden:
      description: Insufficient scope, or API v1 is not enabled for the workspace.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    RateLimited:
      description: Per-key rate limit exceeded.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >-
        Bearer API key. Secret server keys start with `gt_live_`; client-safe
        browser keys start with `gt_pub_` (write-only, origin-pinned). Create
        and scope keys in Settings → API Keys.

````