Webhooks are the simplest way to react to things happening in your Appwrite project without polling. A user signs up. A file gets uploaded. A database row is updated. Appwrite fires an HTTP POST to a URL you control, and your server handles it.
The mechanics are straightforward, but there are details worth getting right: which events to subscribe to, how to verify that a request actually came from Appwrite, and how to structure your handler to handle retries gracefully.
Setting up a webhook
Webhooks are configured at the project level in the Appwrite Console:
- Open your project and go to Settings.
- Click Webhooks in the sidebar.
- Click Add Webhook.
- Give it a name, enter your endpoint URL, and select the events you want to subscribe to.
- Optionally, enable HTTP Basic Authentication to add an extra credential layer on your endpoint.
- Click Create.
That's it. Appwrite will now send a POST request to your URL every time one of the selected events fires.
You can also configure webhooks to send requests with a custom HTTP signature for verification, covered in the security section below.
Choosing events
Appwrite's event system covers everything that happens in your project. Events are grouped by resource type:
Authentication events
Name Description teams.*This event triggers on any teams event. Returns Team Objectteams.*.createThis event triggers when a team is created. Returns Team Objectteams.*.deleteThis event triggers when a team is deleted. Returns Team Objectteams.*.memberships.*This event triggers on any team memberships event. Returns Membership Objectteams.*.memberships.*.createThis event triggers when a membership is created. Returns Membership Objectteams.*.memberships.*.deleteThis event triggers when a membership is deleted. Returns Membership Objectteams.*.memberships.*.updateThis event triggers when a membership is updated. Returns Membership Objectteams.*.memberships.*.update.statusThis event triggers when a team memberships status is updated. Returns Membership Objectteams.*.updateThis event triggers when a team is updated. Returns Team Objectteams.*.update.prefsThis event triggers when a team's preferences are updated. Returns Team Objectusers.*This event triggers on any user's event. Returns User Objectusers.*.createThis event triggers when a user is created. Returns User Objectusers.*.deleteThis event triggers when a user is deleted. Returns User Objectusers.*.recovery.*This event triggers on any user's recovery token event. Returns Token Objectusers.*.recovery.*.createThis event triggers when a recovery token for a user is created. Returns Token Objectusers.*.recovery.*.updateThis event triggers when a recovery token for a user is validated. Returns Token Objectusers.*.sessions.*This event triggers on any user's sessions event. Returns Session Objectusers.*.sessions.*.createThis event triggers when a session for a user is created. Returns Session Objectusers.*.sessions.*.deleteThis event triggers when a session for a user is deleted. Returns Session Objectusers.*.updateThis event triggers when a user is updated. Returns User Objectusers.*.update.emailThis event triggers when a user's email address is updated. Returns User Objectusers.*.update.nameThis event triggers when a user's name is updated. Returns User Objectusers.*.update.passwordThis event triggers when a user's password is updated. Returns User Objectusers.*.update.prefsThis event triggers when a user's preferences is updated. Returns User Objectusers.*.update.statusThis event triggers when a user's status is updated. Returns User Objectusers.*.verification.*This event triggers on any user's verification token event. Returns Token Objectusers.*.verification.*.createThis event triggers when a verification token for a user is created. Returns Token Objectusers.*.verification.*.updateThis event triggers when a verification token for a user is validated. Returns Token ObjectDatabases events
Name Description tablesdb.*This event triggers on any database event. Returns Database Objecttablesdb.*.tables.*This event triggers on any table event. Returns Table Objecttablesdb.*.tables.*.columns.*This event triggers on any columns event. Returns Column Objecttablesdb.*.tables.*.columns.*.createThis event triggers when a column is created. Returns Column Objecttablesdb.*.tables.*.columns.*.updateThis event triggers when a column is updated. Returns Column Objecttablesdb.*.tables.*.columns.*.deleteThis event triggers when a column is deleted. Returns Column Objecttablesdb.*.tables.*.createThis event triggers when a table is created. Returns Table Objecttablesdb.*.tables.*.deleteThis event triggers when a table is deleted. Returns Table Objecttablesdb.*.tables.*.rows.*This event triggers on any rows event. Returns Row Objecttablesdb.*.tables.*.rows.*.createThis event triggers when a row is created. Returns Row Objecttablesdb.*.tables.*.rows.*.deleteThis event triggers when a row is deleted. Returns Row Objecttablesdb.*.tables.*.rows.*.updateThis event triggers when a row is updated. Returns Row Objecttablesdb.*.tables.*.rows.*.upsertThis event triggers when a row is upserted. Returns Row Objecttablesdb.*.tables.*.indexes.*This event triggers on any indexes event. Returns Index Objecttablesdb.*.tables.*.indexes.*.createThis event triggers when an index is created. Returns Index Objecttablesdb.*.tables.*.indexes.*.updateThis event triggers when an index is updated. Returns Index Objecttablesdb.*.tables.*.indexes.*.deleteThis event triggers when an index is deleted. Returns Index Objecttablesdb.*.tables.*.updateThis event triggers when a table is updated. Returns Table Objecttablesdb.*.createThis event triggers when a database is created. Returns Database Objecttablesdb.*.deleteThis event triggers when a database is deleted. Returns Database Objecttablesdb.*.updateThis event triggers when a database is updated. Returns Database ObjectStorage events
Name Description buckets.*This event triggers on any buckets event. Returns Bucket Objectbuckets.*.createThis event triggers when a bucket is created. Returns Bucket Objectbuckets.*.deleteThis event triggers when a bucket is deleted. Returns Bucket Objectbuckets.*.files.*This event triggers on any files event. Returns File Objectbuckets.*.files.*.createSince the Appwrite SDK chunks files in 5MB increments, this event will trigger for each 5MB chunk. A file is fully uploaded whenchunksTotalequalschunksUploaded. Returns File Objectbuckets.*.files.*.deleteThis event triggers when a file is deleted. Returns File Objectbuckets.*.files.*.updateThis event triggers when a file is updated. Returns File Objectbuckets.*.updateThis event triggers when a bucket is updated. Returns Bucket ObjectFunctions events
Name Description functions.*This event triggers on any functions event. Returns Function Objectfunctions.*.createThis event triggers when a function is created. Returns Function Objectfunctions.*.deleteThis event triggers when a function is deleted. Returns Function Objectfunctions.*.deployments.*This event triggers on any deployments event. Returns Deployment Objectfunctions.*.deployments.*.createThis event triggers when a deployment is created. Returns Deployment Objectfunctions.*.deployments.*.deleteThis event triggers when a deployment is deleted. Returns Deployment Objectfunctions.*.deployments.*.updateThis event triggers when a deployment is updated. Returns Deployment Objectfunctions.*.executions.*This event triggers on any executions event. Returns Execution Objectfunctions.*.executions.*.createThis event triggers when an execution is created. Returns Execution Objectfunctions.*.executions.*.deleteThis event triggers when an execution is deleted. Returns Execution Objectfunctions.*.executions.*.updateThis event triggers when an execution is updated. Returns Execution Objectfunctions.*.updateThis event triggers when a function is updated. Returns Function ObjectMessaging events
Name Description providers.*This event triggers on any providers event. Returns Provider Objectproviders.*.createThis event triggers when a provider is created. Returns Provider Objectproviders.*.deleteThis event triggers when a provider is deleted. Returns Provider Objectproviders.*.updateThis event triggers when a provider is updated. Returns Provider Objecttopics.*This event triggers on any topic event. Returns Topic Objecttopics.*.createThis event triggers when a topic is created. Returns Topic Objecttopics.*.deleteThis event triggers when a topic is deleted. Returns Topic Objecttopics.*.updateThis event triggers when a topic is updated. Returns Topic Objecttopics.*.subscribers.*.createThis event triggers when a subscriber to a topic is created. Returns Topic Objecttopics.*.subscribers.*.deleteThis event triggers when a subscriber to a topic is deleted. Returns Topic Objectmessages.*This event triggers on any message event. Returns Message Objectmessages.*.createThis event triggers when a message is created. Returns Message Objectmessages.*.deleteThis event triggers when a message is deleted. Returns Message Objectmessages.*.updateThis event triggers when a message is updated. Returns Message Object
The * wildcard matches any resource ID. You can use specific IDs instead of wildcards to subscribe only to events from a particular table, bucket, or function.
For example, to trigger only when rows are created in a specific table:
databases.<DATABASE_ID>.tables.<TABLE_ID>.rows.*.create
Keep your subscriptions specific. Subscribing to * (all events) on a busy project will result in a high volume of requests to your endpoint.
What the webhook payload looks like
The webhook body is JSON. The payload mirrors the API response for the event type. For a row create event, you get the full row object. For a user create event, you get the user object.
Example payload for a users.*.create event:
{
"$id": "user_abc123",
"$createdAt": "2026-03-26T10:00:00.000+00:00",
"name": "Jane Smith",
"email": "jane@example.com",
"status": true,
"emailVerification": false,
"labels": []
}
Appwrite also sends several headers with every webhook request:
| Header | Description |
X-Appwrite-Webhook-Id | The webhook's ID in your project |
X-Appwrite-Webhook-Events | Comma-separated list of matching events |
X-Appwrite-Webhook-Name | The name you gave the webhook |
X-Appwrite-Webhook-User-Id | ID of the user who triggered the event (if any) |
X-Appwrite-Webhook-Project-Id | Your Appwrite project ID |
X-Appwrite-Webhook-Signature | HMAC-SHA1 signature for verification |
User-Agent | Always Appwrite-Server |
Verifying webhook signatures
Anyone who knows your endpoint URL could send fake webhook requests. Appwrite signs every webhook payload with HMAC-SHA1 using a secret key, and you should verify this signature on every request.
The signature is computed as:
HMAC-SHA1(webhookUrl + rawBody, signingKey)
Where webhookUrl is the full URL of your endpoint (including protocol and path), rawBody is the raw request body string, and signingKey is the signing key shown in the webhook's configuration in the Appwrite Console.
Here's how to verify in Node.js:
const crypto = require('crypto');
function verifyWebhookSignature(req, signingKey) {
const receivedSignature = req.headers['x-appwrite-webhook-signature'];
const webhookUrl = 'https://yourapp.com/webhooks/appwrite'; // must match exactly
const rawBody = req.rawBody; // ensure you have the raw body, not parsed JSON
const expectedSignature = crypto
.createHmac('sha1', signingKey)
.update(webhookUrl + rawBody)
.digest('base64');
return receivedSignature === expectedSignature;
}
app.post('/webhooks/appwrite', express.raw({ type: 'application/json' }), (req, res) => {
const rawBody = req.body.toString('utf8');
if (!verifyWebhookSignature({ headers: req.headers, rawBody }, process.env.WEBHOOK_SIGNING_KEY)) {
return res.status(401).json({ error: 'Invalid signature' });
}
const payload = JSON.parse(rawBody);
const events = req.headers['x-appwrite-webhook-events'];
// handle the event
handleWebhookEvent(events, payload);
res.status(200).json({ received: true });
});
Two things to watch for:
- Use the raw body before JSON parsing. Once parsed, the byte-for-byte representation may differ.
- The URL must match exactly, including any trailing slash.
Always return a 200 response quickly. Appwrite will retry failed deliveries, so if your handler takes too long or returns a non-2xx status, you'll receive duplicate events. Acknowledge receipt immediately and process asynchronously if needed.
Customer identity without the hassle
Add secure authentication in minutes, not weeks.
Built-in security and compliance- Multiple login methods
- Custom authentication flows
- Multi-factor authentication
Real use cases
CDN cache invalidation: Subscribe to storage.buckets.*.files.*.update and purge the CDN cache for the affected file URL when an asset is updated.
Slack notifications: Subscribe to users.*.create and post a message to a Slack channel whenever a new user signs up. Useful for tracking growth in early-stage apps.
async function handleWebhookEvent(events, payload) {
if (events.includes('users') && events.includes('create')) {
await fetch('https://hooks.slack.com/services/...', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
text: `New user: ${payload.name} (${payload.email})`
})
});
}
}
Data sync to external systems: Subscribe to row create, update, and delete events and mirror changes to an external analytics database, a search index like Meilisearch or Algolia, or a data warehouse.
Automated emails: Subscribe to users.*.sessions.*.create and send a "new sign-in" security notification via your email provider when a session is created from a new location.
Audit logging: Subscribe broadly across databases and storage events and write every event to an append-only audit log table with the user ID from X-Appwrite-Webhook-User-Id.
Debugging webhooks
If your endpoint isn't receiving requests, check:
- The webhook is enabled in the Appwrite Console (there's an active/inactive toggle).
- Your endpoint URL is publicly reachable. Localhost won't work unless you're using a tunnel like ngrok or Cloudflare Tunnel.
- The events you subscribed to are actually firing. Use the Appwrite Console to manually trigger an action and confirm the event matches your subscription.
- Your server returns a 2xx response. Non-2xx responses are treated as failures.
For local development, tools like ngrok or Cloudflare Tunnel give your local server a public HTTPS URL you can paste directly into the webhook configuration.
Add webhooks to your Appwrite project
Webhooks connect Appwrite events to any external system without polling. Configure them in the Console, verify signatures to ensure authenticity, and return fast responses to handle retries cleanly.
