> ## Documentation Index > Fetch the complete documentation index at: https://docs.anchorbrowser.io/llms.txt > Use this file to discover all available pages before exploring further. # Create Webhook > Register a new HTTPS endpoint to receive events. The response includes a one-time `secret` (HMAC-SHA256 signing key) — store it; Anchor never returns it again. Up to 5 webhooks per project. ## OpenAPI ````yaml /openapi.yaml post /v1/webhooks openapi: 3.1.0 info: title: AnchorBrowser API version: 1.0.0 description: APIs to manage all browser-related actions and configuration. servers: - url: https://api.anchorbrowser.io description: API server security: [] paths: /v1/webhooks: post: tags: - Webhooks summary: Create Webhook description: | Register a new HTTPS endpoint to receive events. The response includes a one-time `secret` (HMAC-SHA256 signing key) — store it; Anchor never returns it again. Up to 5 webhooks per project. operationId: createWebhook requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/WebhookCreateRequest' examples: taskLifecycle: summary: Subscribe to task lifecycle events value: url: https://your-app.example.com/anchor/webhooks description: Production task notifications subscribed_events: - task.completed - task.failed - task.healed slackForwarder: summary: Forward to a Slack incoming webhook value: url: >- https://hooks.slack.com/services/T01234567/B98765432/AbCdEfGhIjKlMnOpQrStUvWx description: '#ops alerts' subscribed_events: - task.failed - session.failed - identity.authentication_failed responses: '201': description: Webhook created. The `secret` field is returned ONCE — copy it now. content: application/json: schema: $ref: '#/components/schemas/WebhookWithSecret' '400': description: > Validation error. Common causes — non-HTTPS URL, URL targets a private/loopback IP, cloud metadata service, internal-only TLD (`*.local`/`*.internal`), AWS STS/IAM/EKS endpoint, contains basic-auth credentials, exceeds 2048 chars, or `subscribed_events` is empty. content: application/json: schema: $ref: '#/components/schemas/FlatErrorResponse' '409': description: >- Per-project webhook limit (5) reached. Delete or reuse an existing webhook. content: application/json: schema: $ref: '#/components/schemas/FlatErrorResponse' '500': description: Failed to create webhook. content: application/json: schema: $ref: '#/components/schemas/FlatErrorResponse' security: - api_key_header: [] components: schemas: WebhookCreateRequest: type: object required: - url - subscribed_events properties: url: type: string format: uri minLength: 1 maxLength: 2048 description: > HTTPS endpoint Anchor will POST events to. Rejected (400) if it points at loopback / private / link-local IPs, cloud metadata services, internal-only TLDs, AWS STS / IAM / EKS endpoints, or contains basic-auth credentials. example: https://your-app.example.com/anchor/webhooks description: type: string maxLength: 256 description: Optional human-readable description. example: Production task notifications subscribed_events: type: array description: Events this webhook should receive. At least one is required. minItems: 1 items: $ref: '#/components/schemas/WebhookEventType' WebhookWithSecret: description: | Same shape as `WebhookPublic` plus the freshly minted signing secret. Returned ONLY by create and rotate-secret. Store it the first time — Anchor never returns it again. If lost, rotate to mint a new one. allOf: - $ref: '#/components/schemas/WebhookPublic' - type: object required: - secret properties: secret: type: string description: >- HMAC-SHA256 signing secret. Use this to verify the `Anchor-Signature` header on each delivery. example: 36da51b166a69268a59a8d5ee0b32c9f5e5aaee7d301c7a5a36844318e116fc6 FlatErrorResponse: type: object properties: error: type: string description: Human-readable error message. code: type: integer description: HTTP status code. required: - error WebhookEventType: type: string description: | Catalog of webhook event types Anchor can deliver. Adding a new event type is a coordinated change between session-manager (publisher), webhook-dispatcher (consumer), and the dashboard. enum: - task.completed - task.failed - task.cancelled - task.healed - session.completed - session.failed - session.recording.ready - batch.completed - batch.failed - intervention.requested - intervention.resolved - identity.authenticated - identity.authentication_failed WebhookPublic: type: object description: >- A registered webhook subscription. The signing secret is NEVER returned by GET/list endpoints. required: - id - project_id - url - description - subscribed_events - enabled - created_at - updated_at properties: id: type: string description: Webhook id. Use as the path parameter on subsequent calls. example: wh_01HXJ4MZ7K9P3Q6R8S2T4V5W7Y project_id: type: string format: uuid description: The project (team) the webhook belongs to. example: 5d2c31f6-ab7e-481a-b6fd-8b4a96a4e197 url: type: string format: uri description: HTTPS URL Anchor will POST events to. example: https://your-app.example.com/anchor/webhooks description: type: string nullable: true maxLength: 256 description: Optional human-readable description. example: Production task notifications subscribed_events: type: array description: Event types this webhook is currently subscribed to. items: $ref: '#/components/schemas/WebhookEventType' enabled: type: boolean description: When `false`, no events fan out to this webhook. example: true created_at: type: string format: date-time nullable: true updated_at: type: string format: date-time nullable: true securitySchemes: api_key_header: type: apiKey in: header name: anchor-api-key description: API key passed in the header ````