Webhooks

Webhooks stream Emplorea events to your systems in real time - the agent equivalent of push notifications. Create endpoints in Settings, then Integrations, or via POST /api/v1/webhooks (webhooks scope). Endpoints must be HTTPS.

Events

employee.created     employee.updated     employee.terminated
leave.requested      leave.approved       leave.declined
leave.cancelled
document.uploaded    document.signed      (fire once documents ship)

Payload

{
  "id": "evt-uuid",            // unique per event - deduplicate on this
  "event": "employee.created",
  "created_at": "2026-06-13T03:12:45.000Z",
  "company_id": "uuid",
  "data": { ...the full resource object }
}

Signature verification - always verify first

Every delivery is signed with HMAC-SHA256 using your endpoint secret (shown once at creation). The signature arrives in the X-Emplorea-Signature header as sha256=<hex>. Verify before processing:

import { createHmac, timingSafeEqual } from "node:crypto";

function verify(rawBody, signatureHeader, secret) {
  const expected = "sha256=" +
    createHmac("sha256", secret).update(rawBody).digest("hex");
  return timingSafeEqual(Buffer.from(expected), Buffer.from(signatureHeader));
}

Delivery and retries

• 3 attempts per event with exponential backoff (immediately, 2s, 8s).
• 30 second timeout per attempt; any 2xx response counts as delivered.
• Every attempt outcome is logged - see the per-endpoint log in Settings.
• Use the Test button (or a ping event) to verify your receiver end to end.
• Paused endpoints receive nothing until resumed; deletes are soft.