Webhooks

Mobius uses the word "webhook" for a few related but different surfaces. The most important distinction is direction:

Managed webhooks

The first-class webhooks product feature is the project-scoped resource at /v1/projects/{handle}/webhooks.

When you create one of these webhooks, Mobius returns a receive_url. That URL is an inbound endpoint hosted by Mobius. External systems send requests to it, and Mobius records each request as a webhook event that you can inspect later.

This is the meaning of bare webhook throughout the product and API docs unless another section says otherwise.

Billing webhook

POST /v1/billing/webhook is also inbound, but it is not part of the generic webhooks resource. It is a billing-specific Stripe receiver used for subscription lifecycle updates, invoice events, and other billing state changes.

Stripe sends events directly to this endpoint. Mobius verifies the Stripe signature before applying billing changes.

Workflow callbacks

Workflow runs also expose a callback_url field. This is an outbound callback: the intent is for Mobius to POST run completion data to your system when a run reaches a terminal status.

That callback delivery path is not active yet in this repo. Today, Mobius stores the callback_url on the run record, but it does not yet deliver the callback.

Security and status notes

• Managed project webhooks support a stored shared secret, but generic request verification is not yet enforced by the inbound receiver.
• Billing webhooks do verify Stripe signatures today.
• Outbound workflow callbacks are documented in the API contract, but delivery is still planned rather than fully implemented.

See also

• Triggers
• Workflows
• API overview