Skip to main content
Prequel Import emits webhooks for a number of event types. You can subscribe to specific event types and configure delivery through HTTPS, Slack, PagerDuty, or Datadog using the /webhooks endpoints.

Managing webhook subscriptions

The webhook subscription API supports full CRUD:
MethodPathPurpose
GET/webhooksList webhook subscriptions.
POST/webhooksCreate a webhook subscription.
GET/webhooks/{webhook_id}Retrieve a single webhook subscription.
PATCH/webhooks/{webhook_id}Update a webhook subscription.
DELETE/webhooks/{webhook_id}Delete a webhook subscription.
Each webhook subscription targets exactly one delivery vendor. The request body uses a webhook wrapper containing vendor-specific options.

Webhook event types

Prequel Import webhook event types are in flux and are expected to change. They will be documented here soon.

Delivery methods

HTTP POST and GET

Prequel Import supports HTTPS callbacks to your webhook receiver. When creating a webhook with vendor: generic_post, payloads arrive as JSON. The vendor: generic_get type delivers payloads as URL parameters. Both require a url and accept an optional api_key for authenticated receivers.

Third-party integrations

You can route events to PagerDuty (vendor: pagerduty), Slack (vendor: slack), and Datadog (vendor: datadog) with vendor-specific payload formatting. Slack expects a https://hooks.slack.com/services/... URL. PagerDuty and Datadog authenticate with their respective integration keys passed as api_key.

Authentication

Webhooks can include an API key for destinations requiring authentication. Prequel signs every payload and includes the signature in the X-Prequel-Webhook-Signature header for verification purposes.

Versioning

At this time, webhook versioning is in flux and is expected to change.

Payload structure

Headers

HeaderDescription
Content-TypeAlways application/json
X-Prequel-Webhook-TimestampEvent send timestamp
X-Prequel-Webhook-SignatureSHA-256 RSA PKCS1 v1.5 signature
X-Prequel-Webhook-DigestOptional SHA-256 hash for verification

Body format

All events follow this structure:
Webhook payload
{
  "type": "resource_type.event_type",
  "version": "XXXX-XX-XX",
  "created_at": "...",
  "data": {
    // event-specific content
  }
}

Signature verification

Prequel uses asymmetric cryptography with RSA key pairs. The private key signs payloads; your account’s public key verifies authenticity.

Verification steps

1. Retrieve Public Key Access your webhook public key via the /public/signatures/webhook-public-key API endpoint. Fetch this value rather than hardcoding it, since the key may be rotated. 2. Reconstruct Signing Data Extract the timestamp from the X-Prequel-Webhook-Timestamp header (RFC 3339 format). Combine timestamp, a period (.), and the raw JSON body. Hash this concatenated string using SHA-256.
Use the raw request body before JSON deserialization, as parsing may introduce subtle changes.
Validate Body Hash The X-Prequel-Webhook-Digest header contains the SHA-256 hash of the raw body only. Compare this against your computed hash to verify correct body handling. Do not use this for signature confirmation. 3. Confirm Signature Verify the signing data hash against the signature in X-Prequel-Webhook-Signature using your public key with PKCS1 v1.5 scheme. Hex-decode Prequel’s signature before comparison. 4. Check Timestamp Implement a time window (e.g., 5 minutes) to reject outdated events and prevent replay attacks.

Object storage manifest signatures

When data is delivered to an object storage datalake (S3, GCS, ABS, S3-compatible), Prequel writes a signed manifest alongside the data so consumers can verify the manifest came from Prequel. Fetch the verification key with GET /public/signatures/object-storage-manifest-public-key and treat it the same way as the webhook public key. Fetch the value dynamically rather than hardcoding it, since the key may rotate.