Fern DefinitionAdvanced

Webhooks in the Fern Definition

View as Markdown

In Fern, you can specify webhooks in your API definition. The webhooks will be included in both the generated SDKs and the API documentation.

Webhook definition

Each webhook defines:

  1. Method: The HTTP Method that the webhook will use (either GET or POST)
  2. Headers: The headers that the webhook will send
  3. Payload: The schema of the webhook payload
webhooks.yml
1webhooks: 
2  paymentNotification: 
3    display-name: Payment Notification
4    docs: Receive a notification when a payment changes status
5    method: POST 
6    headers: 
7      X-Signature-Primary: 
8        type: string 
9        docs: An HMAC signature of the payload
10    payload: PaymentNotificationPayload
11
12types: 
13  PaymentNotificationPayload: 
14    discriminant: notificationType
15    union: 
16      queued: QueuedPaymentNotification
17      processing: ProcessingPaymentNotification
18      completed: CompletedPaymentNotification

Inlined payloads

You can inline the schema of the payload by doing the following:

webhooks.yml
1webhooks: 
2  paymentNotification: 
3    display-name: Payment Notification
4    docs: Receive a notification when a payment changes status
5    method: POST 
6    headers: 
7      X-Signature-Primary: 
8        type: string 
9        docs: An HMAC signature of the payload
10    payload:
11      name: PaymentNotificationPayload
12      properties: 
13        id:
14          type: string
15          docs: The notification id
16        amount: double
17        currency: Currency

Generate webhook reference

Fern Docs can automatically generate your webhook reference documentation from your definition. Set this up in your docs.yml file.

Your webhook reference can be a single documentation page:

docs.yml
1navigation:
2  - api: Webhook Reference # Display name for this page
3    api-name: webhooks-v1 # Directory containing webhook definition

Or you can configure individual documentation pages per webhook event:

docs.yml
1navigation:
2  - subpackage_api.newPlantWebhook # Format: subpackage_{name-of-api}.{webhook-event-name}

For more information on how to configure your webhook reference in docs.yml, see Generate your webhook reference.

SDK signature verification

You can configure webhook signature verification directly in your Fern Definition using the webhook-signature block. When configured, Fern generates SDK utilities that allow users to verify webhook signatures and ensure events originate from your API.

Configuration can be set at the document level (applies to all webhooks) or per-webhook (overrides the document-level default). Both levels accept the same configuration options.

Fern supports two verification methods: HMAC (symmetric key verification using shared secrets) and Asymmetric (public key verification using RSA, ECDSA, or Ed25519 keys).

api.yml
1webhook-signature:
2  type: hmac
3  header: x-webhook-signature
4  algorithm: sha256
5  encoding: hex
6
7webhooks:
8  userCreated:
9    method: POST
10    payload: UserCreatedPayload
11    # Inherits document-level signature config
12
13  orderCompleted:
14    method: POST
15    payload: OrderCompletedPayload
16    # Inherits document-level signature config

Configuration options

These fields apply to both HMAC and asymmetric verification.

type
'hmac' | 'asymmetric'Required

The signature verification method. Use hmac for symmetric key verification with shared secrets, or asymmetric for public key verification.

stringRequired

The HTTP header containing the signature. For example, x-webhook-signature or x-hub-signature-256.

encoding
'base64' | 'hex'Required

The encoding format of the signature value in the header.

signature-prefix
string

A prefix to strip from the signature header value before verification. For example, "sha256=" or "rsa=".

timestamp.header
stringRequired

HTTP header containing the delivery timestamp.

timestamp.format
'unix-seconds' | 'unix-millis' | 'iso8601'Required

Format of the timestamp value in the header.

timestamp.tolerance
integerDefaults to 300

Allowed clock skew in seconds. Requests with timestamps outside this window are rejected.

These fields apply when type is set to hmac.

algorithm
'sha256' | 'sha1' | 'sha384' | 'sha512'Required

The HMAC hash algorithm for signature computation. sha256 is recommended. sha1 is deprecated and should only be used for legacy compatibility.

payload-format.components
list of stringsRequired

Ordered list of payload components to concatenate before hashing. Available components:

ComponentDescription
bodyRaw request body
timestampTimestamp value from timestamp header
notification-urlThe webhook/callback URL
message-idProvider-assigned message identifier
payload-format.delimiter
stringRequired

String used to join the components. Use "." for timestamp-prefixed payloads or "" for direct concatenation.

These fields apply when type is set to asymmetric.

asymmetric-algorithm
'rsa-sha256' | 'rsa-sha384' | 'rsa-sha512' | 'ecdsa-sha256' | 'ecdsa-sha384' | 'ecdsa-sha512' | 'ed25519'Required

The asymmetric signing algorithm. rsa-sha256 and ecdsa-sha256 are widely supported defaults. ed25519 is a modern, efficient option.

jwks-url
string

JSON Web Key Set (JWKS) endpoint URL of the key retrieval service. Required when using JWKS-based key rotation; omit for static key verification.

key-id-header
string

HTTP header containing the key ID used to select the correct key from the JWKS endpoint.