Managing Webhooks
Once you've created a webhook (see Getting Started),
you can edit it, toggle it on or off, rotate its secret, or delete it from the
webhook detail page (/app/webhooks/{id}).
The webhook list
Open /app/webhooks to see every webhook on your account. Filter pills at the
top of the page (All, Active, Inactive) narrow the list. Click any
row to open the detail page.
Each row shows:
| Column | Description |
|---|---|
| Status | Active webhooks accept and deliver mail. Inactive webhooks reject it at SMTP time. |
| Name | The label you gave the webhook (or auto-generated if you left it blank). |
| Email Address | The address mail must be sent to. |
| Target URL | Where Conduit POSTs the payload. |
Editing a webhook
From the detail page, click Edit. Editable fields:
| Field | Notes |
|---|---|
| Name | Free text. |
| Email address | Editable on private domains. On the public domain the local part is fixed and read-only. See Public domain vs. custom domain. |
| Target URL | Must be HTTPS. |
| Active | Same as the Activate / Deactivate action below. |
| Security policy | Optional SMTP security policy to attach. |
| Custom headers | Optional extra HTTP headers added to every outgoing request. Enter one Name: Value pair per line. Leave the field blank to send no custom headers. The X-Conduit-Signature header is reserved and cannot be overridden. See Custom request headers. |
| Payload template | Optional Go text/template. See Payload templates. |
| Rate limit | Maximum number of emails accepted per minute. Leave blank or enter 0 for no limit. |
Activating and deactivating
Use the Activate / Deactivate button on the detail page to flip the
state. While inactive, Conduit rejects mail at SMTP time with a permanent
failure (550) so the sender's MTA bounces it instead of retrying. Existing
delivery logs are preserved.
This is the safest way to pause traffic (for example while you debug your endpoint or migrate to a new URL) without deleting the webhook and losing its address, secret, or history.
Rotating the secret
Conduit signs every delivery with the webhook's HMAC secret. Rotate the secret if you suspect it has leaked, or as part of routine credential hygiene.
- Open the webhook detail page.
- Click Rotate secret, confirm the prompt.
- Copy the new secret immediately. It is shown once, on the page that loads after rotation.
- Update your endpoint to verify with the new secret.
The old secret stops working immediately. Any deliveries in flight at the moment of rotation will be signed with the new secret. Update your endpoint first if you cannot tolerate a brief signature-verification gap.
Deleting a webhook
Click Delete on the detail page and confirm. Deletion is permanent and removes the webhook record itself; delivery logs for the webhook are also deleted. The email address is freed and can be reused by another webhook.
If you only need to stop receiving mail temporarily, deactivate instead of delete.
Next steps
- Delivery Logs. Inspect every attempt Conduit made for a webhook.
- Testing Webhooks. Verify your endpoint without sending real mail.
- Webhook Payload Reference. Payload structure, signature, custom headers, and templates.