Available Events
The following events can trigger webhook deliveries to your registered endpoints.| Event | Triggered When |
|---|---|
record.created | A new data record is created |
record.updated | A data record is modified |
record.deleted | A data record is deleted |
user.invited | A user is invited to the workspace |
user.removed | A user is removed |
integration.connected | An integration is connected |
integration.disconnected | An integration is removed |
Webhook Payload
Every webhook delivery is aPOST request to your registered URL with a Content-Type: application/json header and a consistent JSON body structure. The data object reflects the resource that triggered the event.
Example Payload
Payload Fields
The event type that triggered this delivery (e.g.,
record.created).ISO 8601 timestamp of when the event occurred in the workspace.
The unique identifier of the workspace where the event took place.
The resource object associated with the event. The shape of this object varies by event type — record events include record fields, user events include user fields, and so on.
Google expects your endpoint to respond with an HTTP
2xx status code within 5 seconds. If the delivery times out or receives a non-2xx response, it will be retried up to three times with exponential backoff.Register Webhook
Register a new endpoint URL to start receiving event notifications for your workspace.POST https://api.google.com/v1/webhooks
Body Parameters
The publicly accessible HTTPS URL that Google should send event payloads to. Must begin with
https://.An array of event type strings to subscribe to. Use
["*"] to subscribe to all events. See the Available Events table for valid values.An optional secret string used to generate an HMAC-SHA256 signature for each delivery. When provided, Google includes an
X-Google-Signature header with every request so you can verify authenticity. See Verifying Webhook Signatures for implementation details.Example Request
Example Response
List Webhooks
Retrieve all webhook registrations for your workspace.GET https://api.google.com/v1/webhooks
Example Request
Example Response
Delete Webhook
Remove a registered webhook. Google will immediately stop delivering events to the associated URL.DELETE https://api.google.com/v1/webhooks/:id
Path Parameters
The unique identifier of the webhook to delete (e.g.,
wh_abc123).Example Request
204 No Content with an empty body.
Verifying Webhook Signatures
When you register a webhook with asecret, Google includes an X-Google-Signature header with every request. The value is a SHA-256 HMAC of the raw request body, prefixed with sha256=. Verifying this signature ensures the payload genuinely came from Google and has not been tampered with.
Verification Example (Node.js)
Always compute the HMAC over the raw request body bytes — not a re-serialized JSON object. Parsing and re-stringifying the payload can change whitespace and key ordering, producing a different byte sequence and causing signature validation to fail. Use
express.raw() (or equivalent) to capture the original bytes before any JSON parsing occurs.Error Reference
400 Bad Request
400 Bad Request
The request body is missing required fields (
url or events), the URL is not a valid HTTPS address, or the events array contains unrecognized event types.401 Unauthorized
401 Unauthorized
404 Not Found
404 Not Found
No webhook exists with the specified
id. Use the List Webhooks endpoint to confirm the correct identifier.422 Unprocessable Entity
422 Unprocessable Entity
The request is syntactically valid but the provided
url is unreachable or returns non-2xx responses during validation.429 Too Many Requests
429 Too Many Requests
You have exceeded the webhook registration limit for your plan. Review your existing webhooks and remove any that are no longer needed.