We are here to help you get from zero to one fast.

Get Started    Discussions


read time 20 minutes


Standard Plan Required

This feature is enabled for customers on the Standard and Pro plans.

Webhooks are a great way to integrate Enclave into your continuous delivery flow. Each webhook will receive a POST request from Doppler when a config's secrets have changed.

Creating a Webhook

To create a Webhook go to a project and then select the 路路路 button in the upper right corner. It should open an Options dialog.

Then click the Webhooks option, which will take you to the webhooks management page.

Next we will want to click the Add Webhook button. This will open a dialog asking you to provide the webhook URL and an optional signing secret. If a signing secret is provided, Doppler will cryptographically sign all webhook requests. This signature allows you to verify that each request to your Webhook originated from Doppler.

After adding the webhook, you should see it listed in the Active Webhooks table.

Accepting Webhooks

Your endpoint will receive a JSON payload of the following structure.

typeEvent types available:
configConfig object
projectProject object
workplaceWorkplace object

Here is an example payload from a webhook.

    "type": "enclave.project.config.secrets.update",
    "config": {
        "name": "dev_2",
        "created_at": "2019-05-30T08:18:33.634Z",
        "environment": "dev",
        "project": "714faaa5958"
    "project": {
        "id": "714faaa5958",
        "name": "Backend",
        "description": "Your first pipeline!",
        "created_at": "2019-05-26T01:42:30.256Z"
    "workplace": {
        "id": "fcd76",
        "name": "Pied Piper",
        "billing_email": "[email protected]"

If a signing secret was supplied, the request will also include an X-Doppler-Signature header. This header value will be a SHA256 hash of the request body prepended with sha256= (e.g. X-Doppler-Signature: sha256=724cd2c1110335a8ea6207f74cd74fb198a8e59ca1b7b39d67678e0f97df832e). To verify the signature, create your own SHA256 hash of the request body using your supplied secret. Then compare the header value against your own computed value using a timing-safe equality function. Here is an example of how you might accomplish this using Node.js.

const bodyParser = require("body-parser");
const crypto = require("crypto");
const express = require("express");

const app = express();
  limit: '200kb',
}));'/webhooks/doppler', (req, res) => {
  const requestHMAC = req.header("X-Doppler-Signature");
  const secret = process.env.WEBHOOK_SECRET;
  const computedHMAC = `sha256=${crypto.createHmac('sha256', secret).update(JSON.stringify(req.body)).digest('hex')}`;
  const signatureMatches = crypto.timingSafeEqual(Buffer.from(requestHMAC), Buffer.from(computedHMAC));
  if (signatureMatches) {
    // do stuff

  res.sendStatus(signatureMatches ? 200 : 401);

Removing a Webhook

Removing a webhook is simple. After determining which webhook you would like to remove, click the Remove button. This will trigger a confirmation dialog.

Once confirmed you should see the webhook as has been removed from the table.

Updated 17 days ago


read time 20 minutes

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.