8 min read
Jan 03, 2026

Managing Webhooks

Learn how to set up and manage webhooks in your Pivot organization to receive real-time notifications when events occur.

Introduction to Webhooks

Webhooks allow your organization to receive real-time notifications when specific events occur in Pivot. Instead of polling the API for changes, webhooks push data to your server automatically, enabling efficient integrations and automations.

Key Features

  • Real-time notifications: Get instant updates when events occur
  • Event filtering: Subscribe only to the events you care about
  • Secure delivery: All webhooks are signed with HMAC-SHA256 for verification
  • Delivery logging: View delivery history and troubleshoot issues
  • Automatic retries: Failed deliveries are automatically retried with exponential backoff

Who Can Manage Webhooks

Only organization Admins and Owners can create, edit, or delete webhooks. Viewers can see the list of webhooks but cannot modify them.

Accessing Webhook Management

1

Open the Organization Admin Page

From the sidebar menu, click your profile picture, then select Organization admin and choose your organization.

2

Navigate to Integrations

In the Organization Admin panel, click on the Integrations tab.

3

Select Webhooks

Within the Integrations section, you’ll find the Webhooks panel where you can view, create, and manage your organization’s webhooks.

Creating a Webhook

1

Click Add Webhook

Click the Add Webhook button to open the webhook creation form.

2

Enter Webhook Details

Fill in the following information:

  • Name: A descriptive name for your webhook (e.g., “Slack Notifications”)
  • Description: Optional notes about what this webhook is used for
  • Endpoint URL: The HTTPS URL where webhook payloads will be sent

The endpoint URL must use HTTPS for security. HTTP URLs are not supported.

3

Configure Subject

Select what entity you want to receive notifications about:

  • Subject Type: Choose between “Room” or “Space”
  • Subject ID: Enter the UUID of the room or space
4

Select Event Types

Choose which events should trigger the webhook:

  • Message Sent: Triggered when a new message is sent in the subscribed room
  • Room Recording Transcript Published: Triggered when a recording transcript becomes available
5

Save and Copy Secret

After clicking Create, you’ll be shown the webhook secret. This secret is used to verify webhook signatures.

Important: The webhook secret is only shown once during creation. Copy and store it securely - you won’t be able to view it again.

Editing a Webhook

1

Find the Webhook

In the webhooks list, locate the webhook you want to edit.

2

Click the Edit Button

Click the Edit icon (pencil) in the webhook row.

3

Modify Settings

You can update:

  • Name and Description
  • Endpoint URL
  • Status: Toggle between Active and Inactive
  • Event Types: Add or remove event subscriptions
4

Save Changes

Click Save to apply your changes.

The webhook secret cannot be changed. If you need to rotate the secret, delete the webhook and create a new one.

Viewing Webhook Logs

1

Click the Logs Button

In the webhooks list, click the Page icon to view delivery logs for a specific webhook.

2

Review Delivery History

The logs show:

  • Event Type: What event triggered the delivery
  • Timestamp: When the delivery was attempted
  • Status: Whether the delivery succeeded or failed
  • Response Code: The HTTP status code from your server
  • Error Message: Details if the delivery failed

Webhook Security

Verifying Webhook Signatures

Every webhook request includes a signature header that you should verify to ensure the request came from Pivot:

  1. Extract the X-Pivot-Signature header from the request
  2. Compute the HMAC-SHA256 of the raw request body using your webhook secret
  3. Compare your computed signature with the header value
const crypto = require('crypto');


function verifyWebhookSignature(payload, signature, secret) {
const expectedSignature = 'sha256=' +
crypto.createHmac('sha256', secret)
.update(payload)
.digest('hex');


return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}

Security Best Practices

  • Always verify signatures before processing webhook payloads
  • Store secrets securely using environment variables or a secrets manager
  • Use HTTPS for all webhook endpoints
  • Respond quickly - return a 2xx status code within 15 seconds
  • Process asynchronously - queue webhook processing for complex operations

Retry Behavior

When webhook delivery fails, Pivot automatically retries with exponential backoff:

RetryDelay
1st1 minute
2nd5 minutes
3rd30 minutes
4th2 hours
5th12 hours

After all retries are exhausted, organization admins will receive an email notification about the failed webhook.

To avoid retries, ensure your endpoint returns a 2xx status code within 15 seconds. Retries will continue until a successful response is received or the maximum retry count is reached.

Troubleshooting

Common Issues

  • Verify the webhook status is Active
  • Check that the subject ID (room/space) is correct
  • Ensure at least one event type is selected
  • Verify your endpoint is accessible from the internet
  • Ensure you’re using the correct webhook secret
  • Verify you’re computing the signature on the raw request body, not a parsed JSON object
  • Check that you’re using HMAC-SHA256, not another algorithm
  • Check if your endpoint is returning a 2xx status code
  • Verify your endpoint responds within 15 seconds
  • Review the error message in the logs for specific details
  • Test your endpoint manually with a sample payload

Deleting a Webhook

1

Find the Webhook

In the webhooks list, locate the webhook you want to delete.

2

Click Delete

Click the Trash icon in the webhook row.

3

Confirm Deletion

Confirm the deletion when prompted. This action cannot be undone.

Deleting a webhook immediately stops all event deliveries. Any pending retries will also be cancelled.

Was this guide helpful?

Prev

SCIM User Management

Next

Google and Outlook Calendars