POST /api/webhooks
Subscribe an HTTPS URL to one or more memory event types. Mnueron delivers signed POST requests with the event payload.
curl -X POST https://www.mnueron.com/api/webhooks \
-H "Authorization: Bearer $MNUERON_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"url": "https://example.com/hooks/mnueron",
"events": ["memory.saved", "memory.updated"],
"description": "Sync into our CRM"
}'
Body
| Field | Type | Required | Notes |
|---|---|---|---|
url | string | yes | HTTPS in prod; HTTP allowed in dev |
events | string[] | no | Subset of memory.saved, memory.updated, memory.deleted, summary.created. Default ["memory.saved"] |
description | string | no | Free-form |
Response
201 Created
{
"id": "01HQ…",
"url": "https://example.com/hooks/mnueron",
"events": ["memory.saved", "memory.updated"],
"description": "Sync into our CRM",
"enabled": true,
"secret": "whsec_…raw_secret_shown_once…",
"created_at": 1737070000000
}
⚠️
secretis shown ONCE. Store it — every delivery sends an HMAC-SHA256 signature inX-Mnueron-Signatureusing this secret. See Verifying deliveries below.
Verifying deliveries
Each delivery carries headers:
| Header | Value |
|---|---|
X-Mnueron-Event | The event name (e.g. memory.saved) |
X-Mnueron-Signature | sha256=<hex> HMAC of the raw body with your secret |
X-Mnueron-Delivery | Unique delivery id — use for idempotency |
Verify in your handler:
const sig = crypto
.createHmac("sha256", WEBHOOK_SECRET)
.update(rawBody)
.digest("hex");
if (`sha256=${sig}` !== req.headers["x-mnueron-signature"]) {
return res.status(401).end();
}
Delivery payload
{
"event": "memory.saved",
"delivered_at": 1737070000000,
"memory": {
"id": "01HQ…",
"namespace": "preferences",
"tags": ["style"],
"source": "claude-desktop",
"source_ref": null,
"metadata": { "captured_at": ... },
"created_at": 1737070000000
}
}
The full content is not included — too easy to leak. If your handler needs the body, fetch it via GET /api/memories/:id.