Webhooks
Webhooks send signed outbound POST requests for selected tenant events. Manage endpoints from Settings -> Integrations -> Webhooks or the public API.
Contracts
| Event | Status | Delivery |
|-------|--------|----------|
| claim_project.created | Emitted | Signed outbox delivery |
| claim_project.updated | Emitted | Signed outbox delivery |
| expense_category.created | Emitted | Signed outbox delivery |
| expense_category.updated | Emitted | Signed outbox delivery |
| report_configuration.created | Emitted | Signed outbox delivery |
| report_configuration.updated | Emitted | Signed outbox delivery |
| claim_report.queued | Emitted | Signed outbox delivery |
| claim_report.succeeded | Emitted | Signed outbox delivery |
| claim_report.failed | Emitted | Signed outbox delivery |
| bank_statement.redaction_succeeded | Emitted | Signed outbox delivery |
| bank_statement.redaction_failed | Emitted | Signed outbox delivery |
| user.invited | Emitted | Signed outbox delivery |
| organization.updated | Emitted | Signed outbox delivery |
| bank_statement.redaction_queued | Planned | Contract reserved, not emitted yet |
| integration.connected | Planned | Contract reserved, not emitted yet |
| webhook.test | Test only | Unsigned connectivity check |
Signing
Production deliveries include:
X-InstaClaim-EventX-InstaClaim-TimestampX-InstaClaim-Signature
Verify the signature over the exact raw request body before parsing. The SDK exports verifyInstaClaimWebhookSignature for this.
Secret rotation
Rotate a webhook secret with PATCH /v1/webhooks/{webhook_id} and {"rotateSecret": true}. The new secret is returned once. During the overlap window, deliveries may include signatures for both current and previous secrets.
Delivery logs
Use GET /v1/webhooks/{webhook_id}/deliveries to inspect outbox delivery status. Synthetic test pings do not appear in the outbox log.