> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kuahr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Register a webhook endpoint

> Registers a URL to receive events. The response includes the signing `secret` (`whsec_…`) **once** — store it to verify signatures. Set `eventTypes` to a comma-separated list, or `*` for all events.



## OpenAPI

````yaml https://api.kuahr.com/openapi/v1.json post /v1/webhooks
openapi: 3.1.1
info:
  title: Kua API
  description: >-
    The Kua developer API — payroll, wallets, and payments for your own company.


    Authenticate with an API key issued from **Settings → API keys** in the
    dashboard, sent in the `X-Api-Key` header. Every request is scoped to the
    company that owns the key. Base URL: `https://api.kuahr.com` (all endpoints
    are versioned under `/v1`).
  version: v1
servers:
  - url: https://api.kuahr.com
    description: Production
security:
  - ApiKey: []
tags:
  - name: Payroll
    description: List and create payroll runs.
  - name: Employees
    description: Add people to your company.
  - name: Events
    description: The company event timeline (also delivered via webhooks).
  - name: Webhooks
    description: Register endpoints and inspect deliveries.
  - name: Test data
    description: Manage sandbox (test-mode) data.
  - name: Leave
    description: >-
      Time-off types, requests, balances, and allocations (requires the Leave
      add-on).
  - name: Advances
    description: Salary advances (requires the Salary advance add-on).
  - name: Performance
    description: OKRs, appraisals, and promotions (requires the Performance add-on).
paths:
  /v1/webhooks:
    post:
      tags:
        - Webhooks
      summary: Register a webhook endpoint
      description: >-
        Registers a URL to receive events. The response includes the signing
        `secret` (`whsec_…`) **once** — store it to verify signatures. Set
        `eventTypes` to a comma-separated list, or `*` for all events.
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateWebhookRequest'
            example:
              url: https://your-app.com/kua/webhooks
              description: Production receiver
              eventTypes: payroll.run.disbursed,employee.created
        required: true
      responses:
        '201':
          description: Created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WebhookCreated'
              example:
                id: d4e5f6a7-0000-0000-0000-000000000001
                url: https://your-app.com/kua/webhooks
                description: Production receiver
                eventTypes: payroll.run.disbursed,employee.created
                isActive: true
                secret: whsec_3f8a9b2c1d4e5f6a7b8c9d0e1f2a3b4c
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
        '401':
          description: Unauthorized
components:
  schemas:
    CreateWebhookRequest:
      required:
        - url
        - description
        - eventTypes
      type: object
      properties:
        url:
          type: string
        description:
          type:
            - 'null'
            - string
        eventTypes:
          type:
            - 'null'
            - string
    WebhookCreated:
      required:
        - id
        - url
        - description
        - eventTypes
        - isActive
        - secret
      type: object
      properties:
        id:
          type: string
          description: The endpoint's unique id.
          format: uuid
        url:
          type: string
          description: The URL Kua will POST events to.
        description:
          type:
            - 'null'
            - string
          description: Your label for this endpoint.
        eventTypes:
          type: string
          description: Comma-separated event types, or `*` for all.
        isActive:
          type: boolean
          description: Whether the endpoint is currently receiving events.
        secret:
          type: string
          description: The signing secret (`whsec_…`). Shown once — store it now.
      description: |-
        A registered webhook endpoint. The signing `secret` is present
            only on the create response — it can't be retrieved again.
    ApiError:
      required:
        - code
        - message
      type: object
      properties:
        code:
          type: string
          description: >-
            A stable, machine-readable identifier you can branch on, e.g.
            `INSUFFICIENT_SCOPE`.
        message:
          type: string
          description: A human-readable explanation. May change; don't parse it.
      description: The standard error body returned for 4xx responses.
  securitySchemes:
    ApiKey:
      type: apiKey
      description: Your API key, e.g. `kua_live_…` (or `kua_test_…` in test mode).
      name: X-Api-Key
      in: header

````