Skip to main content
Prequel Import emits webhooks for a number of event types. You can subscribe to specific event types and configure delivery through HTTPS, Slack, or PagerDuty using the POST /webhooks endpoint.

Webhook Event Types

Prequel Import webhook event types are in flux and are expected to change. They will be documented here soon.

Delivery Methods

HTTP POST and GET

Prequel Import supports HTTPS callbacks to your webhook receiver. When creating a webhook as generic_post type, payloads arrive as JSON. The generic_get type delivers payloads as URL parameters.

Third-Party Integrations

You can route events to PagerDuty, Slack, and Datadog with vendor-specific payload formatting.

Authentication

Webhooks can include an API key for destinations requiring authentication. Prequel signs every payload and includes the signature in the X-Prequel-Webhook-Signature header for verification purposes.

Versioning

At this time, webhook versioning is in flux and is expected to change.

Payload Structure

Headers

HeaderDescription
Content-TypeAlways application/json
X-Prequel-Webhook-TimestampEvent send timestamp
X-Prequel-Webhook-SignatureSHA-256 RSA PKCS1 v1.5 signature
X-Prequel-Webhook-DigestOptional SHA-256 hash for verification

Body Format

All events follow this structure: 
{
  "type": "resource_type.event_type",
  "version": "XXXX-XX-XX",
  "created_at": "...",
  "data": {
    // event-specific content
  }
}

Signature Verification

Prequel uses asymmetric cryptography with RSA key pairs. The private key signs payloads; your account’s public key verifies authenticity.

Verification Steps

1. Retrieve Public Key Access your webhook public key via the /public/signatures/webhook-public-key API endpoint. 2. Reconstruct Signing Data Extract the timestamp from the X-Prequel-Webhook-Timestamp header (RFC 3339 format). Combine timestamp, a period (.), and the raw JSON body. Hash this concatenated string using SHA-256.
Use the raw request body before JSON deserialization, as parsing may introduce subtle changes.
Validate Body Hash The X-Prequel-Webhook-Digest header contains the SHA-256 hash of the raw body only. Compare this against your computed hash to verify correct body handling—do not use this for signature confirmation. 3. Confirm Signature Verify the signing data hash against the signature in X-Prequel-Webhook-Signature using your public key with PKCS1 v1.5 scheme. Hex-decode Prequel’s signature before comparison. 4. Check Timestamp Implement a time window (e.g., 5 minutes) to reject outdated events and prevent replay attacks.