> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gaintrace.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Update a webhook

> Update url, events, headers, description, or active state.

**Scope:** `write:webhooks`



## OpenAPI

````yaml /openapi.json patch /webhooks/{id}
openapi: 3.1.0
info:
  title: GainTrace API
  version: 1.0.0
  description: >-
    The GainTrace REST API (v1). Read your customer data and push product-usage
    events, metric events, and signals into GainTrace.


    All endpoints are authenticated with a Bearer API key and scoped to a single
    workspace.
servers:
  - url: https://app.gaintrace.com/api/v1
    description: Production
security:
  - bearerAuth: []
tags:
  - name: Companies
    description: Read and manage canonical company records.
  - name: Signals
    description: Read, create, and manage buyer / risk signals.
  - name: Ingest
    description: Push product-usage and metric events into GainTrace.
  - name: Contacts
    description: Read and manage the people on an account.
  - name: Webhooks
    description: Subscribe to workspace events with signed, retried delivery.
paths:
  /webhooks/{id}:
    patch:
      tags:
        - Webhooks
      summary: Update a webhook
      description: |-
        Update url, events, headers, description, or active state.

        **Scope:** `write:webhooks`
      operationId: updateWebhook
      parameters:
        - $ref: '#/components/parameters/pathId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WebhookPatch'
      responses:
        '200':
          description: The updated webhook.
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    $ref: '#/components/schemas/Webhook'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '429':
          $ref: '#/components/responses/RateLimited'
components:
  parameters:
    pathId:
      name: id
      in: path
      required: true
      description: >-
        Resource UUID. For companies you may also pass `ext:<externalId>` to
        address by your external id.
      schema:
        type: string
  schemas:
    WebhookPatch:
      type: object
      description: >-
        Any subset. Setting `active:true` also clears the auto-disable failure
        state.
      properties:
        url:
          type: string
          format: uri
          maxLength: 500
        events:
          type: array
          minItems: 1
          items:
            anyOf:
              - $ref: '#/components/schemas/WebhookEvent'
              - const: '*'
        headers:
          type: object
          additionalProperties:
            type: string
        description:
          type:
            - string
            - 'null'
          maxLength: 255
        active:
          type: boolean
      minProperties: 1
    Webhook:
      type: object
      properties:
        id:
          type: string
          format: uuid
        url:
          type: string
          format: uri
        events:
          type: array
          items:
            type: string
          description: Subscribed events, or `["*"]` for all.
        active:
          type: boolean
        description:
          type:
            - string
            - 'null'
        headers:
          type: object
          additionalProperties:
            type: string
          description: >-
            Custom headers sent with each delivery. Values are redacted (`***`)
            in responses.
        secretPrefix:
          type: string
          description: >-
            First chars of the signing secret. Full secret is returned only at
            creation.
        consecutiveFailures:
          type: integer
        disabledAt:
          type:
            - string
            - 'null'
          format: date-time
          description: Set when auto-disabled after sustained failures.
        lastSuccessAt:
          type:
            - string
            - 'null'
          format: date-time
        createdAt:
          type: string
          format: date-time
        updatedAt:
          type: string
          format: date-time
    WebhookEvent:
      type: string
      enum:
        - company.created
        - company.updated
        - contact.created
        - contact.updated
        - contact.deleted
        - signal.created
        - member.invited
        - member.joined
    Error:
      type: object
      properties:
        error:
          type: string
          description: Human-readable, safe error message.
        detail:
          type: string
        code:
          type: string
      required:
        - error
  responses:
    BadRequest:
      description: Invalid request body or parameters.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: Missing or invalid API key.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Forbidden:
      description: Insufficient scope, or API v1 is not enabled for the workspace.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Referenced resource not found in this workspace.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    RateLimited:
      description: Per-key rate limit exceeded.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >-
        Bearer API key. Secret server keys start with `gt_live_`; client-safe
        browser keys start with `gt_pub_` (write-only, origin-pinned). Create
        and scope keys in Settings → API Keys.

````