Webhooks
Push HTTP notifications when master data changes. This page mirrors the marketing documentation for Enterprise webhook behavior.
Overview
Webhooks send HTTP POST requests to your endpoints whenever relevant master data changes occur in EntiHub.
Supported event types:
data_createddata_updateddata_soft_deleteddata_deleteddata_restoreddata_editeddata_rejected
Configuration
Each webhook subscription defines:
name— human-readable label.url— HTTPS endpoint receiving POST requests.domains— JSON array of domain names.entities— JSON array of entity names.actions— JSON array of event types.description— optional documentation.is_active— inactive webhooks are not invoked.
Example filters:
domains: ["Finance", "HR"]
entities: ["Customer", "Vendor"]
actions: ["data_created", "data_updated", "data_edited"]
Payload
{
"event": "data_updated",
"entityName": "Customer",
"recordId": "42",
"occurredUtc": "2025-03-24T14:30:00Z",
"user": "jdoe@contoso.com",
"changes": {
"status": { "old": "Draft", "new": "Active" },
"creditLimit": { "old": 10000, "new": 25000 }
}
}
Management API
GET /api/v1/webhooks
GET /api/v1/webhooks/{id}
POST /api/v1/webhooks
PUT /api/v1/webhooks/{id}
DELETE /api/v1/webhooks/{id}
YAML export & import
GET /api/v1/webhooks/yaml
POST /api/v1/webhooks/yaml
CLI equivalents:
entihub webhooks yaml-export
entihub webhooks yaml-import --file webhooks.yaml
URL validation (SSRF protection)
Validation is configurable in System security settings.
AllowAllExceptLocalhost— allow all HTTP/HTTPS targets except localhost/loopback.Strict— deny by default, allow only approved hosts and ports, with DNS/IP safety checks.
Every blocked webhook call is skipped and logged with mode, URL, and reason.
Best practices
- Use HTTPS endpoints only.
- Make handlers idempotent.
- Return
2xxquickly and offload heavy processing to background workers. - Log failures with enough context for replay or alerting.