Webhooks — RaceHooks Docs

Webhooks

A webhook is a registered endpoint URL paired with a feed subscription. RaceHooks POSTs a JSON payload to that URL for every matching event during a live session. The webhook infrastructure is sport-agnostic — the same endpoint, signature verification, and filter system works across every sport RaceHooks supports. Each webhook is scoped to a single feed, and you can apply filters to narrow which events trigger a delivery.

Lifecycle

Webhooks have three operational states:

activeDeliveries are sent for every matching event. This is the default state after creation.

pausedNo deliveries are sent. The webhook remains registered and can be resumed at any time without losing configuration.

deletedPermanently removed. All logs are retained for 90 days after deletion.

Create a webhook

Each webhook subscribes to exactly one feed. To receive multiple feeds at the same endpoint, create one webhook per feed. The webhookSecret is available at creation time and retrievable anytime via GET /v1/webhooks/:id/secret.

curl -X POST https://api.racehooks.io/v1/webhooks \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "webhookUrl": "https://your-app.com/f1",
    "feedId": "timingdata"
  }'

# Response
{
  "data": {
    "webhookId": "wh_7a3b9c2d",
    "webhookUrl": "https://your-app.com/f1",
    "feedId": "timingdata",
    "active": true,
    "webhookSecret": "whsec_a3f9b..."  // shown once — store securely
  }
}

⚠

Retrieve your webhookSecret anytime via GET /v1/webhooks/:id/secret. To issue a new secret, rotate it from the webhook detail page or via POST /v1/webhooks/:id/rotate-secret. Rotation takes effect immediately.

Request fields

Field	Type	Description
`webhookUrl`	`string`	Your HTTPS endpoint URL. Must be publicly reachable. Localhost is supported during Simulate replays.
`feedId`	`string`	The feed to subscribe to. See Feed catalog for all available IDs.
`webhookMethod`	`string?`	HTTP method for deliveries. Defaults to POST. Can be PUT.
`filters`	`object?`	Optional delivery filter. See Filters below.

Filters

Filters let you narrow which events trigger a delivery. They are evaluated per payload before each delivery attempt — only matching events are sent. Filters are supported on per-driver feeds (timingdata, stintdata, driverraceinfo, etc.) and on the raceevent feed.

Available filters

Field	Type	Description
`drivers`	`string[]`	Three-letter driver codes (TLAs). e.g. ["VER", "NOR"]. Resolved to driver numbers at delivery time.
`driverNumbers`	`string[]`	Raw driver racing numbers. e.g. ["1", "4"]. Use drivers (TLAs) for readability.
`constructors`	`string[]`	Team name keywords (case-insensitive partial match). e.g. ["ferrari", "mclaren"]. Resolved to all drivers on those teams using the current session's DriverList.
`positions`	`{ min?: number; max?: number }`	Race position range. Only delivers when at least one matching driver is within the specified position window.

# Filter by driver TLA codes
curl -X POST https://api.racehooks.io/v1/webhooks \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "webhookUrl": "https://your-app.com/verstappen",
    "feedId": "timingdata",
    "filters": {
      "drivers": ["VER", "NOR"]
    }
  }'

# Filter by constructor keyword + position range
curl -X POST https://api.racehooks.io/v1/webhooks \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "webhookUrl": "https://your-app.com/ferrari-top5",
    "feedId": "timingdata",
    "filters": {
      "constructors": ["ferrari"],
      "positions": { "min": 1, "max": 5 }
    }
  }'

ℹ

Filters are combined with AND logic: if you specify both constructors and positions, a payload is delivered only when a constructor driver is within the position range.

✦

Constructor filters use fuzzy matching — "red bull" and "redbull" both match Red Bull Racing. The driver list is resolved live from the current session's DriverList feed, so mid-season team swaps are handled automatically.

HMAC signatures

On the Live tier and above, every delivery includes an X-RaceHooks-Signature header containing an HMAC-SHA256 signature of the request body. Verifying this header proves the delivery originated from RaceHooks and the body was not tampered with in transit.

X-RaceHooks-Signature: sha256=a3f9b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0

The signature is computed as:

HMAC-SHA256(webhookSecret, rawRequestBody)

Always verify against the raw request body bytes, not the parsed JSON object. Use a timing-safe comparison function (timingSafeEqual in Node.js, hmac.compare_digest in Python, subtle.ConstantTimeCompare in Go) to prevent timing attacks.

import crypto from "crypto";
import { verifySignature } from "racehooks"; // or implement manually

// Express example — use raw body middleware
app.use("/f1-hook", express.raw({ type: "application/json" }));

app.post("/f1-hook", (req, res) => {
  const sig = req.headers["x-racehooks-signature"] as string;
  const ok  = verifySignature(req.body, sig, process.env.WEBHOOK_SECRET!);

  if (!ok) return res.status(401).send("Invalid signature");

  const payload = JSON.parse(req.body.toString());
  // handle payload...
  res.sendStatus(200);
});

Rotate a secret

If a secret is compromised or you want to rotate it for security hygiene, call the rotation endpoint. The new secret takes effect immediately.

bash

curl -X POST https://api.racehooks.io/v1/webhooks/wh_7a3b9c2d/rotate-secret \
  -H "Authorization: Bearer ${TOKEN}"

# Response — new secret shown once
{
  "data": {
    "webhookSecret": "whsec_b4c8d..."
  }
}

⚠

After rotation, the new secret is returned in the response and retrievable anytime via GET /v1/webhooks/:id/secret. Update your verification code before sending the next delivery.

Delivery SLA and retries

RaceHooks retries failed deliveries with exponential backoff:

AttemptDelay

1 (initial)Immediate

21 second

35 seconds

430 seconds

A delivery is considered successful when your endpoint returns a 2xx status code within 10 seconds. Any other response (timeout, 4xx, 5xx) triggers a retry.

The Live and Analytics tiers include a uniform 99.5% delivery SLA, measured per calendar month. The SLA covers delivery infrastructure and excludes upstream feed availability; remedies are service credits. Enterprise contracts negotiate custom terms.

← Quickstart Race Events →