Webhooks

Re-register and verify webhooks

v2 webhooks use canonical event names, one-time secrets, HMAC signatures, and at-least-once delivery.

Register

Create hooks at /webhooks. The response returns secret: "whsec_..." once; store it immediately.

cURL

curl -X POST https://api.crove.app/api/external/v2/webhooks \
  -H "X-Api-Key: <key>" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com/crove/webhook","events":["recipient.submitted","document.completed","export.completed","document.opened"]}'

Event map

Legacy event	Canonical event	Note
document.response.submitted	recipient.submitted	Use for submitted recipient responses.
recipient.signed	recipient.submitted	Do not map this to document.completed.

document.response.submitted

recipient.submitted

Use for submitted recipient responses.

recipient.signed

recipient.submitted

Do not map this to document.completed.

Canonical set

recipient.submitteddocument.completedexport.completeddocument.opened

Signature verification

Live HMAC verifier

Runs in your browser with Web Crypto. The secret never leaves this page.

Webhook secretX-Crove-SignatureRaw request body

Dedupe deliveries

Delivery is at least once. Store payload id before side effects and skip work when the id was already processed.

Re-enable auto-disabled hooks

If legacy failures disabled a hook, patch it with {active:true}. Then use test and deliveries endpoints to validate.

cURL

curl -X PATCH https://api.crove.app/api/external/v2/webhooks/<id> \
  -H "X-Api-Key: <key>" \
  -H "Content-Type: application/json" \
  -d '{"active":true}'

Pabbly flat payloads

v2 accepts nested values, bracket keys such as values[Field], and bare top-level field keys.