Granit.Webhooks.Endpoints exposes a Minimal API for managing webhook subscriptions:
create and update subscriptions, transition through lifecycle states (active, suspended,
deactivated), rotate signing secrets, send test pings, and monitor delivery statistics.
All endpoints are protected by the Webhooks.Admin authorization policy with configurable
role requirements.
Directory // In your application startup
app . MapWebhooksEndpoints ();
app . MapWebhooksEndpoints (opts =>
opts . RoutePrefix = " admin/webhooks " ;
opts . RequiredRole = " platform-admin " ;
opts . TagName = " Webhook Administration " ;
Option Default Description RoutePrefix"webhooks"Route prefix for all webhook endpoints RequiredRole"granit-webhooks-admin"Role required for the authorization policy TagName"Webhooks"OpenAPI tag name for endpoint grouping
Configuration section: WebhooksEndpoints.
Method Route Description GET/event-typesList all registered webhook event types
Returns the full list of event types declared by application modules via
IWebhookEventTypeDefinitionProvider. Each entry includes the event type name,
localized display name, description, and category for UI grouping. Labels are
resolved based on the Accept-Language header. Requires
Webhooks.Subscriptions.Read permission.
Method Route Description GET/subscriptions/{id}Get a webhook subscription by ID
Method Route Description POST/subscriptionsCreate a new subscription (returns signing secret once) PUT/subscriptions/{id}Update a subscription’s target URL DELETE/subscriptions/{id}Hard-delete a subscription
Method Route Description POST/subscriptions/{id}/activateReactivate a suspended subscription POST/subscriptions/{id}/suspendSuspend an active subscription POST/subscriptions/{id}/deactivatePermanently deactivate a subscription
stateDiagram-v2
[*] --> Active: Create
Active --> Suspended: Suspend
Suspended --> Active: Activate
Active --> Deactivated: Deactivate
Suspended --> Deactivated: Deactivate
Method Route Description POST/subscriptions/{id}/rotate-secretRotate the HMAC signing secret POST/subscriptions/{id}/test-pingSend a Stripe-style test ping to the target URL GET/statsGet aggregate delivery statistics (last 24h)
When Granit.Webhooks.EntityFrameworkCore is registered, query endpoints are available:
Method Route Description POST/subscriptions/queryFilter, sort, and paginate subscriptions POST/deliveries/queryFilter, sort, and paginate delivery attempts
DTO Direction Used by WebhookEventTypeResponseOutput GET event-types WebhookSubscriptionCreateRequestInput POST subscriptions WebhookSubscriptionCreatedResponseOutput POST subscriptions (includes signing secret) WebhookSubscriptionUpdateRequestInput PUT subscriptions WebhookSubscriptionDeactivateRequestInput POST deactivate WebhookSubscriptionResponseOutput GET, PUT, lifecycle endpoints WebhookSubscriptionRotateSecretResponseOutput POST rotate-secret WebhookSubscriptionTestPingResponseOutput POST test-ping WebhookSubscriptionStatsResponseOutput GET stats
All endpoints require the Webhooks.Admin authorization policy. Permissions
are defined in WebhooksPermissions:
Permission Description Webhooks.Subscriptions.ReadView subscriptions, list event types Webhooks.Subscriptions.ManageCreate, update, delete, lifecycle transitions, rotate secrets, test pings, stats
All request DTOs are automatically validated via FluentValidation through
MapGranitGroup(). Key rules:
Target URL : HTTPS only, absolute URI, max 2048 charsSSRF protection : blocks private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16), localhost, link-local IPv6, and blocked TLDs (.local, .internal, .onion)Event type : non-empty, max 200 chars, must exist in the event type registry Deactivation reason : non-empty, max 1000 chars
Webhooks — core module documentation (publisher, delivery engine, retry) 