API REFERENCE

Webhooks

Receive a POST request to your server when a scan completes. Each delivery is signed with HMAC-SHA256 so you can verify it came from webdoc.ai.

Events

Event	When it fires
scan.completed	Scan finished and report saved successfully
scan.failed	Scan encountered an unrecoverable error

Payload

{
  "event": "scan.completed",
  "scan_id": "c4f1a2b3-...",
  "url": "https://example.com",
  "score": 54,
  "data": {
    "domain": "example.com",
    "verdict": "Needs Work"
  }
}

Request headers

Header	Value
Content-Type	application/json
X-WebDoc-Event	The event type (e.g., scan.completed)
X-WebDoc-Signature	HMAC-SHA256 hex of the request body using your webhook secret

Verifying signatures

import { createHmac } from "crypto"

function verifyWebhook(body: string, signature: string, secret: string): boolean {
  const expected = createHmac("sha256", secret)
    .update(body)
    .digest("hex")
  return expected === signature
}

// In your route handler:
const body = await request.text()
const sig = request.headers.get("x-webdoc-signature") ?? ""
if (!verifyWebhook(body, sig, process.env.WEBHOOK_SECRET!)) {
  return new Response("Unauthorized", { status: 401 })
}
const payload = JSON.parse(body)

Managing webhook endpoints

POST/api/v1/webhooksRegister a new webhook endpoint. Returns the secret once.

GET/api/v1/webhooksList all registered webhooks. Secret is never returned in list.

DELETE/api/v1/webhooksRemove a webhook by ID.

The webhook secret is returned once when you register the endpoint. Store it securely — it cannot be retrieved later. Delete and re-register to rotate a lost secret.