> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Create webhook > Create a webhook for an app. ## OpenAPI ````yaml post /v2/session/apps/{appID}/webhooks openapi: 3.1.1 info: title: Prelude Session Management API version: 0.0.1 summary: The Prelude API for Session Management description: The Prelude API for Session Management. contact: email: support@prelude.so url: https://prelude.so servers: - url: https://api.prelude.dev description: Production server security: - Authorization: [] tags: - name: Mode description: Manage the mode (dev/prod) of your application. - name: Users description: Manage the users of your application. - name: Webhooks description: Manage the webhooks of your application. - name: Domains description: Manage the domains of your application. - name: Config - Scopes description: Manage the scope configuration of your application. - name: Config - Claims description: Manage the claims mapping configuration of your application. - name: Config - Step-up description: Manage the step-up authentication configuration of your application. - name: Config - Migration description: Manage the user migration configuration of your application. - name: Config - Login OTP description: Manage the OTP login configuration of your application. - name: Config - Login OAuth description: Manage the OAuth login configuration of your application. - name: Config - Login Password description: Manage the password login configuration of your application. paths: /v2/session/apps/{appID}/webhooks: parameters: - $ref: '#/components/parameters/appIDParam' post: tags: - Webhooks summary: Create webhook description: Create a webhook for an app. operationId: createWebhook requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PostWebhookRequest' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/PostWebhookResponse' '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/InvalidRequestError' - $ref: '#/components/schemas/InvalidWebhookEventError' - $ref: '#/components/schemas/WebhookInvalidUrlError' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/SessionDisabledError' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/AppNotFoundError' callbacks: eventReceived: '{$request.body#/url}': post: parameters: - in: header name: X-Webhook-Signature-Key-Id required: true schema: type: string description: >- The id of the key used to sign the webhook event. You can get the key from the JWKS endpoint of your application. examples: - d073d958-a0eb-4b8d-ade6-edbfa1083dd5 - in: header name: X-Webhook-Signature required: true schema: type: string description: >- The signature of the webhook event. It is the base64 URL-encoded RSASSA-PSS signature of the sha256 of the body of the request prefixed with "rsassa-pss-sha256=". examples: - >- rsassa-pss-sha256=Xy8pCJUV/UvCnZrTgk5tK5D+0rivHVYChQ50cwabCqdXVTIHujuTEH8hTCgYiwBQcnaNXKl6Oz+AoXWUtpaHcQiyzifUAS6EL5a8XBaIr1cVKk0yOgrvSjtw4QBTBwqVfrXZr33wmh3bAqDf5uIPc3beIOLLHh08r+FLfy+YvKZ3DjZ7WNuLFLfU/NYrG2zC1uhHTMKIKFyP6D2GOHvqn1BN5I/nWtDDlhI6oId6Yv/lnHc6ac1IPyQWgHRTWY0r6rFcrFtak29e2drP7PMG5+sxhV3F/NactkdM9rQ3FH7HqgFFFglU/2UbNpAmTS4y7363SaZ3m71H+q7H1Ks3oQ== requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/WebhookBatchEvent' responses: '200': description: Event accepted verificationEvent: '{$request.body#/url}': get: parameters: - in: query name: event required: true description: >- The event that triggered the webhook. It will always be "activate". schema: type: string enum: - activate - in: query name: verification_token required: true description: >- The verification token you set when you registered the webhook. schema: type: string examples: - my-secret-token - in: query name: challenge required: true description: >- An integer number between 0 and 9999999999 that you need to send back in the response. schema: type: number examples: - 1234567890 - in: query name: app_id required: true description: The app id you set when you registered the webhook. schema: $ref: '#/components/schemas/AppID' responses: '200': description: Webhook validated content: application/json: schema: $ref: '#/components/schemas/WebhookActivationEventResponse' components: parameters: appIDParam: in: path name: appID required: true description: The id of the app the request refers to. schema: $ref: '#/components/schemas/AppID' schemas: PostWebhookRequest: type: object properties: url: type: string format: uri examples: - https://example.com/webhook maxLength: 2048 verification_token: type: string maxLength: 100 examples: - my-secret-token events: type: array items: $ref: '#/components/schemas/WebhookEventTypesEnum' required: - url - verification_token - events PostWebhookResponse: type: object properties: webhook: $ref: '#/components/schemas/WebhookResponse' required: - webhook InvalidRequestError: type: object properties: code: type: string enum: - invalid_request examples: - invalid_request status: type: string enum: - bad_request examples: - bad_request message: type: string examples: - The request body is invalid. required: - code - status - message InvalidWebhookEventError: type: object properties: code: type: string enum: - invalid_webhook_event examples: - invalid_webhook_event status: type: string enum: - bad_request examples: - bad_request message: type: string examples: - The webhook event type is invalid. required: - code - status - message WebhookInvalidUrlError: type: object properties: code: type: string enum: - webhook_invalid_url examples: - webhook_invalid_url status: type: string enum: - bad_request examples: - bad_request message: type: string examples: - The webhook URL is invalid. required: - code - status - message SessionDisabledError: type: object properties: code: type: string enum: - session_disabled examples: - session_disabled status: type: string enum: - forbidden examples: - forbidden message: type: string examples: - Session management is disabled for this application. required: - code - status - message AppNotFoundError: type: object properties: code: type: string enum: - app_not_found examples: - app_not_found status: type: string enum: - not_found examples: - not_found message: type: string examples: - The application was not found. required: - code - status - message AppID: type: string description: An application's unique identifier. examples: - 54e9ujn - fvua38g WebhookEventTypesEnum: type: string enum: - user.created - user.deleted - user.profile.updated - user.identifier.created - user.identifier.deleted - user.session.created - user.session.revoked WebhookResponse: type: object properties: id: $ref: '#/components/schemas/WebhookID' url: type: string format: uri examples: - https://example.com/webhook events: type: array items: $ref: '#/components/schemas/WebhookEventTypesEnum' active: type: boolean examples: - true last_http_code: type: integer examples: - 200 - 500 - 502 - 403 - 401 - 400 last_http_code_date: type: string format: date-time examples: - '2025-03-15T14:45:00Z' created_at: type: string format: date-time examples: - '2025-03-15T10:30:00Z' updated_at: type: string format: date-time examples: - '2025-03-15T12:00:00Z' required: - id - url - events - active - last_http_code - last_http_code_date - created_at - updated_at WebhookID: type: string description: An application's webhook unique identifier. It is prefixed with 'web_' examples: - web_01jqebhswje1ka1z7ahr9rfsgt securitySchemes: Authorization: type: http scheme: bearer ````