OpenAPI: Webhook Event Delivery Definition

Q: OpenAPI: Webhook Event Delivery Definition

## Documenting Webhooks in OpenAPI Webhooks are server-to-server HTTP callbacks that notify external systems when events occur. OpenAPI 3.1 introduced a dedicated webhooks section, but you can document them in 3.0 using callback objects or by defining the expected payload schemas. ### Webhook Endpoint (Receiver) Document what the consumer's endpoint should accept: yaml paths: /webhooks/receive: post: summary: Receive webhook events description: | Your server should

Document webhook callback endpoints and event payloads in OpenAPI 3.0. Covers event types, signature verification headers, retry policies, and payload schemas.

Webhooks

Detailed Explanation

Documenting Webhooks in OpenAPI

Webhooks are server-to-server HTTP callbacks that notify external systems when events occur. OpenAPI 3.1 introduced a dedicated webhooks section, but you can document them in 3.0 using callback objects or by defining the expected payload schemas.

Webhook Endpoint (Receiver)

Document what the consumer's endpoint should accept:

paths:
  /webhooks/receive:
    post:
      summary: Receive webhook events
      description: |
        Your server should expose this endpoint to receive
        webhook events. Verify the X-Webhook-Signature header
        before processing.
      parameters:
        - name: X-Webhook-Signature
          in: header
          required: true
          schema:
            type: string
          description: HMAC-SHA256 signature for payload verification
        - name: X-Webhook-Event
          in: header
          required: true
          schema:
            type: string
            enum:
              - order.created
              - order.updated
              - payment.completed
              - payment.failed
          description: The event type
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WebhookPayload'
      responses:
        '200':
          description: Event received and acknowledged
        '400':
          description: Invalid signature or payload

Webhook Payload Schema

components:
  schemas:
    WebhookPayload:
      type: object
      required:
        - id
        - event
        - timestamp
        - data
      properties:
        id:
          type: string
          description: Unique event ID for idempotency
        event:
          type: string
          description: Event type (e.g., order.created)
        timestamp:
          type: string
          description: ISO 8601 timestamp
        data:
          type: object
          description: Event-specific payload data

Signature Verification

Document the signature algorithm: typically HMAC-SHA256 of the raw request body using a shared secret. Include example code or reference your SDK documentation for verification.

Retry Policy

Document your retry behavior: how many times you retry failed deliveries, the backoff strategy (exponential, fixed intervals), and the timeout window. This is critical information for webhook consumers to implement proper handling.

Use Case

Documenting a payment gateway, e-commerce platform, or SaaS product that sends event notifications to customer servers. Essential for Stripe-like payment events, order status updates, or CI/CD pipeline notifications.

Try It — API Documentation Generator

Open full tool →