Webhooks

introduction a webhook (also called a web callback or http push api) is a way for spike to provide your application with real time information a webhook delivers notifications to your applications as new event happens, meaning you get notified immediately unlike a typical api where you would need to poll for data very frequently to get it in real time this makes webhooks much more efficient for the provider and consumer new incoming data will be normalized and notitifation about is sent to your webhook url address getting started the endpoint you create must be configured to accept post requests it has to be an https secured endpoint on your server with a distinct url you can enable webhook messages by configuring your webhook url address in your app settings page in the developer console removing this url will result in webhooks being disabled webhook events all spike webhook events have the following structure in json format in the example below you will find the base json object for a webhook payload right now "event type" "record change" is the only one supported and it indicates that particular metrics (listed) or activity types such as workouts or sleep sessions were recorded by application user id at particular dates if your application based on your individual use case is interested to receive this data, you should poll for it using the query apis or sdks used payload example json \[ { "application user id" "user1", "timestamp" "2025 04 15t13 33 55 271331177z", "event type" "record change", "metrics" \["calories burned active", "distance", "steps"], "activity types" \["sedentary", "walking"], "provider slug" "garmin", "earliest record start at" "2025 04 15t09 30 00z", "latest record end at" "2025 04 15t13 33 00z" }, { "application user id" "user2", "timestamp" "2025 04 15t13 33 55 271331177z", "event type" "record change", "metrics" \["calories burned active"], "activity types" \["walking"], "provider slug" "garmin", "earliest record start at" "2025 04 15t09 30 00z", "latest record end at" "2025 04 15t13 33 00z" } ] verification events are signed with a header ( x body signature ) so you can verify their authenticity the header uses hmac256 and a shared key to sign the payload as is you can obtain the shared key in the admin console