Skip to content
Hoursmith Docs
Webhooks

Webhooks overview

Webhooks push workspace events to your own HTTPS endpoint in near real time. Available on the Agency plan for Owners and Admins.

Webhooks let Hoursmith push events from your workspace to your own HTTPS endpoint as things happen — an invoice is paid, a time entry is logged, a task is completed. Instead of polling the API on a schedule, your systems react the moment an event occurs.

Before you start
Plan
Agency
Role
OwnerAdmin

Webhooks require the Agency plan (the outboundWebhooks entitlement) and are configured by an Owner or Admin. On Free and Studio you'll see an upgrade prompt — see Plans & limits and Billing & plans.

How it works

When something happens in your workspace, Hoursmith builds an event, wraps it in a JSON envelope, signs it, and POSTs it to every endpoint subscribed to that event type.

  1. Something happens — for example, a client pays an invoice.
  2. An event is created with a stable id, a type, and a data snapshot of the affected resource.
  3. Hoursmith delivers it as an HTTP POST with Content-Type: application/json and a Hoursmith-Signature header.
  4. Your endpoint verifies the signature, returns a 2xx response quickly, and processes the event.
  5. If delivery fails, Hoursmith retries with backoff.

Deliveries are signed but not encrypted beyond TLS. Always use an HTTPS endpoint and verify the signature before trusting a payload.

What you can subscribe to

Hoursmith emits 8 event types across invoices, time entries, tasks, clients, and projects:

EventFires when
invoice.sentAn invoice is sent to a client.
invoice.paidAn invoice is marked paid.
invoice.payment_failedA payment attempt on an invoice fails.
time_entry.createdA time entry is created.
task.completedA task is marked complete.
task.createdA task is created.
client.createdA client is created.
project.createdA project is created.

There are no wildcard subscriptions in v1 — subscribe to each event type you want. See Event types & payloads for the full envelope and data shapes.

Best practices

  • Return 2xx fast, process async. Acknowledge the delivery immediately and do the real work in a background job. Your endpoint has roughly a 10-second budget.
  • Verify every signature using the Hoursmith-Signature header before acting on a payload.
  • Dedupe on the event id. Retries reuse the same id, so an idempotent handler prevents double-processing.
  • Use HTTPS for your endpoint URL.
  • Keep your signing secret out of source control. Store it in an environment variable or a secrets manager.

Get started

Create an endpoint

Add a URL, pick events, and grab your signing secret.

Event types & payloads

The 8 events and the envelope they arrive in.

Verify signatures

Validate the Hoursmith-Signature header in Node.js or Python.

Retries & replay

Backoff schedule, idempotency, and replaying deliveries.

Was this page helpful?

Troubleshooting

Fix common Hoursmith MCP problems — missing or wrong token, 402 plan errors, old Node, the wrong config path, and forgetting to restart.

Create an endpoint

Add a webhook endpoint in Hoursmith — enter your URL, subscribe to events, and save your signing secret, which is shown only once.

On this page

How it worksWhat you can subscribe toBest practicesGet started