Public API
Automation
Webhooks
Create webhook endpoints from the workspace and receive signed job lifecycle events from FileMorf.
Base route
https://api.filemorf.com/api/public
Auth
Bearer API key created from the workspace.
Delivery model
Signed uploads, queued jobs, retained artifacts, refreshable URLs.
Delivery
Webhook endpoints are configured from the workspace
The public API emits signed lifecycle events, but endpoint registration stays in the authenticated workspace surface so secrets and delivery operations remain account-scoped.
- Create and manage webhook endpoints in Workspace → Workflows.
- Receive signed POST requests for job lifecycle changes.
- Use raw request bodies when verifying signatures; do not JSON.stringify a parsed payload.
Headers
Validate FileMorf signature headers on every delivery
Each delivery includes event metadata plus an HMAC signature derived from the timestamp and raw body.
| Header | Meaning |
|---|---|
| X-FileMorf-Event | Event type such as job.completed or job.failed. |
| X-FileMorf-Delivery | Unique delivery identifier for replay protection and logs. |
| X-FileMorf-Timestamp | Unix timestamp string used in signature verification. |
| X-FileMorf-Signature | sha256=<hex hmac of timestamp.rawBody> |
Events
Current webhook event types
Deliveries are currently focused on job lifecycle state. Recipe runs are observed indirectly through their child jobs.
- job.started
- job.completed
- job.failed
- job.expired
Verify signature
import crypto from "node:crypto";
const timestamp = request.headers["x-filemorf-timestamp"];
const signature = request.headers["x-filemorf-signature"];
const rawBody = request.rawBody;
const expected = "sha256=" + crypto
.createHmac("sha256", process.env.FILEMORF_WEBHOOK_SECRET)
.update(`${timestamp}.${rawBody}`)
.digest("hex");
if (signature !== expected) {
throw new Error("Invalid FileMorf webhook signature");
}