Authentication
All API requests require an API key passed via the X-API-Key header. You can generate keys in your dashboard.
Keep your API keys secure. Do not expose them in client-side code or public repositories. Use separate keys for production and development environments.
curl -H "X-API-Key: ep_live_abc123def456" \ https://api.eventpipe.dev/v1/events
Keys are prefixed with ep_live_ for production and ep_test_ for test mode.
Events
Submit a new event for routing and delivery. Eventpipe will match the event against all active subscriptions and deliver it to the configured endpoints.
| Parameter | Type | Required | Description |
|---|---|---|---|
| type | string | required | Event type identifier, e.g. order.created |
| source | string | required | Origin system of the event, e.g. shopify |
| payload | object | required | Arbitrary JSON payload to deliver to subscribers |
| idempotency_key | string | optional | Unique key to prevent duplicate event delivery |
curl -X POST https://api.eventpipe.dev/v1/events \
-H "X-API-Key: ep_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{
"type": "order.created",
"source": "shopify",
"payload": {
"order_id": "ord_12345",
"amount": 99.00,
"currency": "USD"
}
}'
{
"id": "evt_a1b2c3d4e5",
"type": "order.created",
"source": "shopify",
"status": "accepted",
"created_at": "2025-02-10T14:30:00Z"
}
Retrieve event details and delivery status. Includes all delivery attempts with HTTP status codes and timing information.
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | required | Event ID returned from the send endpoint |
{
"id": "evt_a1b2c3d4e5",
"type": "order.created",
"source": "shopify",
"status": "delivered",
"created_at": "2025-02-10T14:30:00Z",
"delivery_attempts": [
{
"endpoint_id": "end_xyz789",
"status": "success",
"http_status": 200,
"attempted_at": "2025-02-10T14:30:01Z",
"duration_ms": 145
}
]
}
Endpoints
Register a new webhook endpoint to receive event deliveries. Eventpipe will send HTTP POST requests to your URL when matching events arrive.
| Parameter | Type | Required | Description |
|---|---|---|---|
| url | string | required | HTTPS URL to deliver events to |
| events | array | required | Event type patterns to subscribe to, e.g. ["order.*"] |
| active | boolean | optional | Whether the endpoint is active. Defaults to true |
curl -X POST https://api.eventpipe.dev/v1/endpoints \
-H "X-API-Key: ep_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{
"url": "https://app.example.com/webhooks",
"events": ["order.*"]
}'
{
"id": "end_xyz789",
"url": "https://app.example.com/webhooks",
"events": ["order.*"],
"active": true,
"secret": "whsec_k8s9d7f6g5h4j3k2",
"created_at": "2025-02-10T14:00:00Z"
}
The secret field is only returned once at creation time. Store it securely — use it to verify incoming webhook signatures.
Returns a paginated list of all webhook endpoints registered to your account.
| Parameter | Type | Required | Description |
|---|---|---|---|
| active | boolean | optional | Filter by active status |
| limit | integer | optional | Number of results per page. Default 20, max 100 |
| cursor | string | optional | Pagination cursor from a previous response |
{
"data": [
{
"id": "end_xyz789",
"url": "https://app.example.com/webhooks",
"events": ["order.*"],
"active": true,
"created_at": "2025-02-10T14:00:00Z"
}
],
"has_more": false,
"next_cursor": null
}
Permanently removes a webhook endpoint. All associated subscriptions will be deleted. In-flight deliveries will still be attempted.
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | required | Endpoint ID to delete |
{ "deleted": true }
Subscriptions
Create a routing subscription to filter which events are delivered to a specific endpoint. Use pattern matching on type and source to control routing logic.
| Parameter | Type | Required | Description |
|---|---|---|---|
| endpoint_id | string | required | ID of the endpoint to route matching events to |
| filter | object | required | Routing filter with type and/or source patterns |
curl -X POST https://api.eventpipe.dev/v1/subscriptions \
-H "X-API-Key: ep_live_abc123def456" \
-H "Content-Type: application/json" \
-d '{
"endpoint_id": "end_xyz789",
"filter": {
"type": "payment.*",
"source": "stripe"
}
}'
{
"id": "sub_m3n4o5p6q7",
"endpoint_id": "end_xyz789",
"filter": {
"type": "payment.*",
"source": "stripe"
},
"active": true,
"created_at": "2025-02-10T15:00:00Z"
}
Returns a paginated list of all routing subscriptions. Optionally filter by endpoint.
| Parameter | Type | Required | Description |
|---|---|---|---|
| endpoint_id | string | optional | Filter subscriptions by endpoint ID |
| limit | integer | optional | Number of results per page. Default 20, max 100 |
{
"data": [
{
"id": "sub_m3n4o5p6q7",
"endpoint_id": "end_xyz789",
"filter": {
"type": "payment.*",
"source": "stripe"
},
"active": true,
"created_at": "2025-02-10T15:00:00Z"
}
],
"has_more": false,
"next_cursor": null
}
Logs
Query delivery logs across all endpoints. Supports filtering by event, endpoint, status, and time range. Useful for debugging failed deliveries and auditing delivery history.
| Parameter | Type | Required | Description |
|---|---|---|---|
| event_id | string | optional | Filter logs for a specific event |
| endpoint_id | string | optional | Filter logs for a specific endpoint |
| status | string | optional | Filter by delivery status: success, failed, or pending |
| from | string | optional | ISO 8601 datetime — start of time range |
| to | string | optional | ISO 8601 datetime — end of time range |
| limit | integer | optional | Number of results. Default 50, max 100 |
curl "https://api.eventpipe.dev/v1/logs?status=failed&limit=10" \ -H "X-API-Key: ep_live_abc123def456"
{
"data": [
{
"id": "log_abc123",
"event_id": "evt_a1b2c3d4e5",
"endpoint_id": "end_xyz789",
"status": "success",
"http_status": 200,
"duration_ms": 145,
"attempted_at": "2025-02-10T14:30:01Z"
}
],
"has_more": false,
"total": 1
}
Webhook Signature Verification
Eventpipe signs all outgoing webhook deliveries with HMAC-SHA256 using your endpoint's secret. Verify the X-Eventpipe-Signature header to ensure authenticity.
The signature is a hex-encoded HMAC-SHA256 digest of the raw request body. Always use the raw body bytes — not a parsed or reformatted version.
const crypto = require('crypto');
function verifySignature(rawBody, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}
// In your webhook handler
app.post('/webhooks', (req, res) => {
const signature = req.headers['x-eventpipe-signature'];
const isValid = verifySignature(req.rawBody, signature, endpointSecret);
if (!isValid) {
return res.status(401).json({ error: 'Invalid signature' });
}
// Process the event
res.status(200).json({ received: true });
});
Use crypto.timingSafeEqual to prevent timing attacks. Never use a simple string comparison for signature verification.
Rate Limits
API requests are rate-limited per API key. Limits vary by plan:
| Plan | Rate Limit | Burst |
|---|---|---|
| Free | 10 requests / second | Up to 20 |
| Pro | 100 requests / second | Up to 200 |
| Business | 1,000 requests / second | Up to 2,000 |
When rate limited, the API returns 429 Too Many Requests with a Retry-After header indicating how many seconds to wait before retrying.
{
"error": "rate_limit_exceeded",
"message": "Too many requests. Please retry after 2 seconds.",
"retry_after": 2
}
Need higher limits? Contact us to discuss a custom plan.