Help Center

Webhooks

Get real-time HTTP callbacks to your own systems when events happen in Weqly.

Webhooks let Weqly notify your own systems in real time when something happens, such as a shift being assigned, leave being approved, or a teammate joining. Whenever an event you’ve subscribed to occurs, Weqly sends an HTTP POST to a URL you provide.

You manage webhooks on the Integrations page. (Setting them up is typically an admin/developer task.)

Creating a webhook

  1. Go to Integrations and add a webhook.
  2. Give it a name (so you can recognise it later).
  3. Enter the URL Weqly should send events to. It must be a public HTTPS endpoint. Internal or private addresses are rejected for security.
  4. Choose which events to subscribe to (at least one).
  5. Save.

You can mark a webhook active or inactive. Inactive webhooks stop receiving events without being deleted.

Available events

Weqly fires events across these areas:

AreaEvents
Leaveleave.requested, leave.approved, leave.rejected, leave.cancelled
Shiftshift.assigned, shift.changed, shift.removed
Tradetrade.requested, trade.approved, trade.rejected, trade.cancelled
Dropdrop.requested, drop.approved, drop.rejected, drop.cancelled
Inviteinvite.sent, invite.accepted, invite.expired
Useruser.joined, user.updated, user.removed
Kudoskudos.sent

What a delivery looks like

Each delivery is a POST with a JSON body describing the event, plus two headers:

HeaderPurpose
X-Weqly-EventThe event name, e.g. shift.assigned.
X-Weqly-SignatureA signature you use to verify the request really came from Weqly.

Verifying the signature

Every webhook has a secret (visible on the webhook in Integrations). Weqly signs each request body with it so you can confirm authenticity and reject spoofed calls.

The signature is:

X-Weqly-Signature: sha256=<HMAC-SHA256 of the raw request body, keyed with your secret>

To verify on your side:

  1. Take the raw request body exactly as received.
  2. Compute HMAC-SHA256 of that body using your webhook’s secret as the key.
  3. Prefix the hex result with sha256=.
  4. Compare it to the X-Weqly-Signature header (use a constant-time comparison).

If they don’t match, discard the request.

Reliability & security notes

  • Deliveries are sent as background jobs and retried on failure.
  • URLs are checked for safety both when you save them and again at send time, to guard against requests being redirected to internal systems.
  • Keep your secret confidential. Anyone with it can forge signed requests.

Need help?

Reach our support team at help@weqly.com. We’re happy to help.