Webhooks
Get real-time HTTP callbacks to your own systems when events happen in Weqly.
Webhooks let Weqly notify your own systems in real time when something happens, such as a shift being assigned, leave being approved, or a teammate joining. Whenever an event you’ve subscribed to occurs, Weqly sends an HTTP POST to a URL you provide.
You manage webhooks on the Integrations page. (Setting them up is typically an admin/developer task.)
Creating a webhook
- Go to Integrations and add a webhook.
- Give it a name (so you can recognise it later).
- Enter the URL Weqly should send events to. It must be a public HTTPS endpoint. Internal or private addresses are rejected for security.
- Choose which events to subscribe to (at least one).
- Save.
You can mark a webhook active or inactive. Inactive webhooks stop receiving events without being deleted.
Available events
Weqly fires events across these areas:
| Area | Events |
|---|---|
| Leave | leave.requested, leave.approved, leave.rejected, leave.cancelled |
| Shift | shift.assigned, shift.changed, shift.removed |
| Trade | trade.requested, trade.approved, trade.rejected, trade.cancelled |
| Drop | drop.requested, drop.approved, drop.rejected, drop.cancelled |
| Invite | invite.sent, invite.accepted, invite.expired |
| User | user.joined, user.updated, user.removed |
| Kudos | kudos.sent |
What a delivery looks like
Each delivery is a POST with a JSON body describing the event, plus two headers:
| Header | Purpose |
|---|---|
X-Weqly-Event | The event name, e.g. shift.assigned. |
X-Weqly-Signature | A signature you use to verify the request really came from Weqly. |
Verifying the signature
Every webhook has a secret (visible on the webhook in Integrations). Weqly signs each request body with it so you can confirm authenticity and reject spoofed calls.
The signature is:
X-Weqly-Signature: sha256=<HMAC-SHA256 of the raw request body, keyed with your secret>
To verify on your side:
- Take the raw request body exactly as received.
- Compute
HMAC-SHA256of that body using your webhook’s secret as the key. - Prefix the hex result with
sha256=. - Compare it to the
X-Weqly-Signatureheader (use a constant-time comparison).
If they don’t match, discard the request.
Reliability & security notes
- Deliveries are sent as background jobs and retried on failure.
- URLs are checked for safety both when you save them and again at send time, to guard against requests being redirected to internal systems.
- Keep your secret confidential. Anyone with it can forge signed requests.
Need help?
Reach our support team at help@weqly.com. We’re happy to help.