Webhooks
Connect thig.ai to your existing tools and workflows with webhooks. Send notifications when events occur or receive data from external services.
Outgoing Webhooks
Send HTTP POST notifications to external services whenever specific events occur in your organization.
Creating an Outgoing Webhook
- Go to Webhooks (
/admin/webhooks) and select the Outgoing tab
- Click Add Webhook
- Enter a name and the destination URL
- Select which events to listen for
- Save the webhook
Supported Events
| Event | Trigger |
|---|
project.created | A new project is created |
project.updated | A project’s status or details change |
prd.generated | A PRD document is generated |
prd.updated | A PRD is edited or a new version is saved |
export.completed | A document export finishes (any format) |
member.joined | A new member accepts an invitation |
comment.created | A comment is added to a PRD |
Webhook Payload
Each delivery includes a JSON body with the event type, timestamp, and relevant resource data. Headers include a signature for verification (see Security below).
Delivery Stats and Retries
The webhooks table shows delivery statistics for each endpoint:
- Success rate — Percentage of successful deliveries (2xx responses)
- Last delivery — Timestamp and status of the most recent attempt
- Total deliveries — Count of all delivery attempts
Failed deliveries are retried automatically with exponential backoff (up to 3 retries over 1 hour).
Incoming Webhooks
Receive data from external services by generating unique webhook URLs.
Creating an Incoming Webhook
- Select the Incoming tab
- Click Add Webhook
- Name the webhook and configure the action (e.g., create a project, add a note)
- Copy the generated URL and configure it in your external service
Each incoming webhook gets a unique URL in the format:
https://app.thig.ai/api/webhooks/incoming/{webhook-id}
Webhook Security
All outgoing webhook deliveries are signed with HMAC-SHA256 for verification.
Verifying Signatures
Each delivery includes these headers:
| Header | Description |
|---|
webhook-id | Unique identifier for the delivery |
webhook-signature | HMAC-SHA256 signature of the payload |
webhook-timestamp | Unix timestamp of the delivery |
Always verify webhook signatures before processing payloads. Ignoring verification exposes your endpoint to spoofed requests.
Best Practices
- Handle retries idempotently — Use the
webhook-id header to deduplicate deliveries. The same event may be delivered more than once.
- Respond quickly — Return a 2xx status within 10 seconds. Do heavy processing asynchronously after acknowledging receipt.
- Monitor failures — Check the delivery stats regularly. Webhooks with repeated failures are automatically disabled after consecutive failures.
- Use HTTPS — Only HTTPS endpoints are accepted for outgoing webhooks.
Test your webhook endpoint with the Send Test button before subscribing to real events. It sends a sample payload so you can verify your integration works.
Webhooks are available to Admin and Owner roles. Members and Viewers cannot configure webhooks.
