2 min read
The endpoint object
An endpoint is described by this object. The secret is returned once at creation and never again — store it immediately.
{
"id": "whend_3T8K1",
"url": "https://api.your-app.example/credicorp/webhooks",
"enabled_events": [
"enquiry.created",
"decision.completed",
"payment.succeeded"
],
"status": "enabled",
"secret": "whsec_a1b2c3\u2026",
"created": "2026-07-04T09:00:00Z"
}
Choosing events
Set enabled_events to the specific types you handle, or ["*"] to receive everything. Subscribing narrowly reduces traffic and keeps your handler simple. The full list is in the event catalogue.
Rotating the secret
Rotate the signing secret if it may have leaked. Rotation issues a new secret while keeping the old one valid for a 24-hour overlap, so in-flight deliveries never fail. Verify against both secrets during the window — see Rotate a webhook signing secret.
Limits
Up to 20 endpoints per partner account, each subscribing to any subset of events. An endpoint that returns non-2xx for 7 consecutive days is automatically disabled and must be re-enabled manually.
Frequently asked questions
Can I register an http:// (non-TLS) URL?
No. Endpoints must be HTTPS with a valid certificate. Webhook bodies carry event data, and the signature protects integrity but not confidentiality, so transport encryption is mandatory.
Where do I find my signing secret later?
You cannot retrieve it after creation — it is shown once. If you have lost it, rotate the secret to issue a new one.
What disables an endpoint automatically?
Seven consecutive days of failed deliveries. Re-enable it once your endpoint is healthy; queued events within the 72-hour retention are then delivered.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.