https://inference.varo.cloud/v1
All requests require an Authorization: Bearer YOUR_API_KEY header.
POST /webhooks
Registers a new webhook endpoint with your organization. You choose which events you want to subscribe to, and Varo Cloud will deliver a payload to your URL each time one of those events fires.The HTTPS endpoint that Varo Cloud should send event payloads to. Must begin with
https://. Plain HTTP endpoints are not accepted.An array of event name strings to subscribe to. See Supported Events for the full list. Pass
["*"] to subscribe to all events.An optional secret string used to sign outgoing payloads with HMAC-SHA256. Strongly recommended so that you can verify each payload actually came from Varo Cloud. See Verifying Webhook Signatures for details.
Unique identifier for the webhook, prefixed with
wh_.The HTTPS endpoint registered to receive event payloads.
The list of event names this webhook is subscribed to.
Current status of the webhook.
active means Varo Cloud will deliver payloads to this endpoint.ISO 8601 datetime string for when the webhook was created.
Supported Events
Subscribe to any combination of the following events when creating a webhook.| Event | Trigger |
|---|---|
deployment.queued | A deployment enters the queue |
deployment.started | Build begins for a queued deployment |
deployment.succeeded | A deployment completed successfully and went active |
deployment.failed | A deployment encountered a fatal error and failed |
deployment.rolled_back | A rollback was triggered for a deployment |
project.created | A new project was created in the organization |
project.deleted | A project was permanently deleted |
user.invited | A team member invitation was sent |
user.removed | A team member was removed from the organization |
Webhook Payload Format
Varo Cloud sends all event payloads as JSON in the body of an HTTP POST request to your registered endpoint. Every payload shares the same top-level structure: anevent name, a timestamp, and a data object containing event-specific fields.
The following example shows the payload delivered when a deployment succeeds:
2xx status code to acknowledge receipt. Varo Cloud treats any other response — including 3xx redirects — as a failed delivery and will retry according to the schedule described in Retry Behavior.
Verifying Webhook Signatures
When you provide asecret during webhook creation, Varo Cloud signs every outgoing payload using HMAC-SHA256 and includes the signature in the X-Varo-Signature header. The header value uses the format:
payload is the raw request body string (before any JSON parsing), signature is the value of the X-Varo-Signature header, and secret is the secret string you provided when creating the webhook. Return false from this function means the payload should be rejected.
Retry Behavior
If your endpoint does not return an HTTP2xx response within 10 seconds, Varo Cloud considers the delivery attempt failed and schedules a retry. Deliveries are retried up to 5 times using exponential backoff, with delays of approximately 30 seconds, 2 minutes, 10 minutes, 30 minutes, and 2 hours between attempts. After 5 failed attempts, the delivery is abandoned and the webhook’s status may be set to inactive.
Because retries can result in the same event being delivered more than once, your webhook handler should be idempotent. Use the
deployment_id or other resource IDs in the data payload as a deduplication key to avoid processing the same event twice.GET /webhooks
Returns a list of all webhooks registered in your organization, including their subscribed events and current status.DELETE /webhooks/
Permanently removes a webhook. Varo Cloud will immediately stop delivering events to the associated endpoint.The unique identifier of the webhook to delete.
204 No Content with an empty response body.