Webhooks

Webhooks Real-time events

HMAC-signed callbacks for every document, job, workspace and task event. 22 event types, exponential retries, HTTPS recommended.

Create webhook Postman Collection

22+

Event types

<1s

Latency

HMAC

SHA-256 signed

POST /your-endpoint

Request headers

X-PaperOffice-Event: document.processed
X-PaperOffice-Event-ID: a3b7f9c1d4e8b2a6
X-PaperOffice-Signature: sha256=9f8a2c…

JSON body

{
  "event_type": "document.processed",
  "event_id": "a3b7f9c1d4e8b2a6",
  "timestamp": "2026-04-17T14:23:11Z",
  "subscription_id": 42,
  "data": { "pofid": "doc_01HZY8K3…" }
}

Signature verified HMAC-SHA256 · Event ID logged

Trusted by leading companies worldwide

Exclusive DMS Partner

Only official DMS

Available events

22 event types, grouped by entity

Subscribe to individual events or use the wildcard * for everything.

Documents

document.uploaded New document uploaded to a workspace
document.created Alias for document.uploaded (compatibility)
document.processed OCR/IDP pipeline finished successfully
document.edited Metadata, tags or content updated
document.deleted Document moved to trash
document.restored Document recovered from trash
document.moved Document moved between workspaces
document.version_created New version added to an existing document
document.lifecycle_changed Retention / archival status changed
document.comment_added Comment posted on a document
document.note_added Internal note attached
document.tag_added Tag assigned to a document
document.legal_hold_placed Legal hold activated (immutable)
document.legal_hold_released Legal hold released

Jobs

job.completed Async job finished successfully
job.failed Async job failed terminally
job.progress Progress update during long-running jobs

Workspaces

workspace.shared Workspace shared with a user or team
workspace.unshared Workspace access revoked

Tasks

task.created New task created
task.completed Task marked as complete
task.overdue Task passed its due date

Subscribe to ["*"] to receive every event of your account.

Payload & headers

Every delivery follows the same schema

Predictable JSON body, five signed HTTP headers, ISO-8601 UTC timestamps.

Request body (JSON)

{
  "event_type": "document.processed",
  "event_id": "a3b7f9c1d4e8b2a6c9f1d4e7b2a5c8f1",
  "timestamp": "2026-04-17T14:23:11Z",
  "subscription_id": 42,
  "data": {
    "pofid": "doc_01HZY8K3M7P2Q9R5T1V6W4X2Y8",
    "workspace_id": 17,
    "filename": "invoice-2026-04-17.pdf",
    "mime_type": "application/pdf",
    "size_bytes": 284521,
    "processing_result": {
      "ocr_done": true,
      "classification": "invoice",
      "confidence": 0.98
    }
  }
}

HTTP request headers

Content-Type application/json Always JSON, UTF-8 encoded

User-Agent PaperOffice-Webhook/1.0 Fixed identifier for firewall allowlists

X-PaperOffice-Event document.processed Event type being delivered

X-PaperOffice-Event-ID a3b7f9c1… 128-bit unique ID. Use for idempotency.

X-PaperOffice-Subscription-ID 42 ID of the subscription receiving the event

X-PaperOffice-Signature sha256=… HMAC-SHA256 of the raw body, hex-encoded

Signature verification

Verify every delivery with HMAC-SHA256

Compute HMAC-SHA256 over the raw request body using your shared secret, then compare against X-PaperOffice-Signature using constant-time comparison (hash_equals, crypto.timingSafeEqual).

import crypto from 'crypto';
import express from 'express';
const app = express();

const WEBHOOK_SECRET = process.env.PAPEROFFICE_WEBHOOK_SECRET;

app.post('/webhooks/paperoffice', express.raw({ type: 'application/json' }), (req, res) => {
  const signature = req.header('X-PaperOffice-Signature'); // "sha256=..."
  const eventId   = req.header('X-PaperOffice-Event-ID');
  const eventType = req.header('X-PaperOffice-Event');

  const expected = 'sha256=' + crypto
    .createHmac('sha256', WEBHOOK_SECRET)
    .update(req.body)
    .digest('hex');

  if (!signature || !crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
    return res.status(401).send('invalid signature');
  }

  const event = JSON.parse(req.body.toString());
  // eventId als Idempotency-Key speichern -> gleiche ID nicht zweimal verarbeiten
  console.log(eventType, event.data);
  res.status(200).send('ok');
});

import hmac, hashlib, os
from flask import Flask, request, abort

app = Flask(__name__)
WEBHOOK_SECRET = os.environ["PAPEROFFICE_WEBHOOK_SECRET"]

@app.route("/webhooks/paperoffice", methods=["POST"])
def paperoffice_webhook():
    signature = request.headers.get("X-PaperOffice-Signature", "")
    event_id   = request.headers.get("X-PaperOffice-Event-ID", "")
    event_type = request.headers.get("X-PaperOffice-Event", "")

    expected = "sha256=" + hmac.new(
        WEBHOOK_SECRET.encode(),
        request.get_data(),
        hashlib.sha256,
    ).hexdigest()

    if not hmac.compare_digest(signature, expected):
        abort(401)

    payload = request.get_json()
    # event_id als Idempotency-Key in DB speichern
    print(event_type, payload["data"])
    return "ok", 200

<?php
// PaperOffice Webhook-Receiver mit HMAC-SHA256 Signatur-Verifizierung
$secret = getenv('PAPEROFFICE_WEBHOOK_SECRET');
$raw    = file_get_contents('php://input');

$signature  = $_SERVER['HTTP_X_PAPEROFFICE_SIGNATURE'] ?? '';
$event_id   = $_SERVER['HTTP_X_PAPEROFFICE_EVENT_ID'] ?? '';
$event_type = $_SERVER['HTTP_X_PAPEROFFICE_EVENT'] ?? '';

$expected = 'sha256=' . hash_hmac('sha256', $raw, $secret);
if (!hash_equals($expected, $signature)) {
    http_response_code(401);
    exit('invalid signature');
}

$event = json_decode($raw, true);
// event_id als Idempotency-Key in DB speichern
error_log("{$event_type}: " . json_encode($event['data']));
http_response_code(200);
echo 'ok';

curl -X POST https://api.paperoffice.ai/latest/webhooks/subscribe \
  -H "Authorization: Bearer po_ut_xxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Production Webhook",
    "url": "https://yourdomain.com/webhooks/paperoffice",
    "events": ["document.processed", "job.completed", "job.failed"],
    "retry_policy": "exponential",
    "max_retries": 5,
    "timeout_ms": 10000
  }'

Retry & delivery

Three retry strategies, up to 10 attempts

Pick a policy per subscription. Every attempt is logged with status code, response body and timing.

Default

exponential

Exponential (default)

Back-off doubles after every attempt: 30s, 60s, 120s, 240s, 480s…

linear

Linear

Fixed growth: 30s, 60s, 90s, 120s, 150s…

none

None

Fire-and-forget. No retries even on 5xx. Useful for test hooks.

Success HTTP 2xx within your timeout window

Max retries 0–10 attempts (default 5)

Timeout 1,000–30,000 ms per attempt (default 10,000)

Delivery log Every attempt stored in webhook_deliveries for audit

Management API

9 endpoints under /latest/webhooks/

Full CRUD for subscriptions, delivery logs, one-time job subscriptions and a test endpoint — all OAuth2 Bearer, all MCP-ready.

POST /webhooks/subscribe Create a new subscription (unlimited per account) po_webhooks_subscribe

GET /webhooks/list List all subscriptions of the account po_webhooks_list

POST /webhooks/update Update an existing subscription po_webhooks_update

POST /webhooks/delete Soft-delete a subscription (delivery log preserved) po_webhooks_delete

GET /webhooks/deliveries Retrieve delivery log with filters (event_type, success_only) po_webhooks_deliveries

POST /webhooks/test Send a test.ping event to verify delivery po_webhooks_test

POST /webhooks/subscribe-job One-time webhook for a specific job_id po_webhooks_subscribe_job

GET /webhooks/job-subscriptions List job-scoped subscriptions po_webhooks_job_subscriptions

GET /webhooks/info Available events, endpoints, retry policies, signature info po_webhooks_info

Use via MCP Postman Collection

Enterprise security

Hardened by design

HMAC-SHA256

Every payload signed with your secret. Constant-time comparison mandatory.

SSRF protection

Private / internal IPs, localhost and cloud metadata endpoints blocked at subscribe and dispatch.

DNS rebinding safe

IP re-validated at dispatch time, pinned via CURLOPT_RESOLVE.

HTTPS strongly preferred

http and https accepted. HTTPS recommended for production.

Event-ID idempotency

Every delivery carries a unique X-PaperOffice-Event-ID. Dedupe on your side.

Full audit trail

All attempts logged: status code, response body, timing, error message.

Limits

Unlimited subscriptions, delivery behaviour fully configurable

∞

Subscriptions / account

∞

Active job subscriptions

10,000 ms

Default timeout

Default max retries

Available on all plans. Pay-per-use: 1 credit per successful delivery (HTTP 2xx). Retries, test events and failed deliveries are free.

See pricing Authentication

Start now

Your first webhook in 60 seconds

Create an endpoint, subscribe via API, fire a test event. That's it.

Create webhook Postman Collection

HMAC-SHA256 Exponential back-off Full audit trail

Document AI supercharged by Claude & ChatGPT

Data insights powered by Claude & ChatGPT

AI agents controlled from Claude & ChatGPT

Your knowledge base, accessible via Claude & ChatGPT

Security APIs at your fingertips in Claude & ChatGPT

Industry AI ready in Claude & ChatGPT

Every solution, right in Claude & ChatGPT

Automated workflows via Claude & ChatGPT

Risk detection powered by Claude & ChatGPT

Any document, processed via Claude & ChatGPT

357+ API Tools. One MCP Connection.

Learn to use PaperOffice in Claude & ChatGPT

Offer AI that works in Claude & ChatGPT

Built for Claude, ChatGPT & your AI tools