ProductServicesTrainingBook a Call

Managing Endpoints

Create, list, update, rotate, and delete webhook endpoints from your backend with mb.webhooks.

mb.webhooks is the resource on @medblocks/connect for managing endpoints. Registering new ones, listing what you have, rotating secrets, and inspecting recent deliveries. For receiving and verifying incoming events, see Quickstart and Signatures.

MethodHTTP
mb.webhooks.create(input)POST /webhooks
mb.webhooks.retrieve(id)GET /webhooks/{id}
mb.webhooks.list(params?)GET /webhooks
mb.webhooks.update(id, input)PATCH /webhooks/{id}
mb.webhooks.delete(id)DELETE /webhooks/{id}
mb.webhooks.rotateSecret(id)POST /webhooks/{id}/rotate-secret
mb.webhooks.listEvents(id, params?)GET /webhooks/{id}/events

Create

create returns the endpoint with the plaintext signing secret. The secret is returned exactly once. Store it server-side immediately.

The secret field on the response is returned only on create and on rotateSecret. There is no endpoint that returns it again. Persist it before doing anything else.

server/scripts/register-webhook.ts
import { mb } from "../medblocks";

const endpoint = await mb.webhooks.create({
  url: "https://api.example.com/medblocks/webhook",
  events: ["patient_flow.completed", "records.sync.completed"],
  description: "Production webhook",
});

console.log(endpoint.id);     // wh_*
console.log(endpoint.secret); // whsec_* - store me!

Subscribing To All Events

Pass ["*"] to deliver every event type. Otherwise list the explicit event types you want; any unknown type is rejected.

await mb.webhooks.create({
  url: "https://api.example.com/medblocks/webhook",
  events: ["*"],
});

Retrieve

const endpoint = await mb.webhooks.retrieve("wh_01J9YR9N3X4VZ6P2K5RH7M3LMP");

Returns the endpoint without the secret.

List

Cursor-paginated. Filter by status (active or disabled).

server/scripts/list-webhooks.ts
const page = await mb.webhooks.list({ limit: 50 });
for (const ep of page.data) console.log(ep.id, ep.url, ep.status);

for await (const ep of mb.webhooks.list({ status: "active" }).autoPagingIterator()) {
  console.log(ep.id);
}

Update

Partial update via PATCH. Only the fields you pass are changed. Use status: "active" to re-enable an endpoint that was auto-disabled after retry exhaustion.

server/scripts/reenable-webhook.ts
const updated = await mb.webhooks.update("wh_01J9YR9N3X4VZ6P2K5RH7M3LMP", {
  status: "active",
});

Updatable fields: url, events, description, metadata, status. The endpoint’s api_version is immutable.

Delete

Drops any pending deliveries for this endpoint. Returns a tombstone.

const tombstone = await mb.webhooks.delete("wh_01J9YR9N3X4VZ6P2K5RH7M3LMP");
// { id: "wh_*", resource_type: "webhook_endpoint", deleted: true }

Rotate Secret

Generates a new signing secret and returns it. The old secret stops verifying immediately. There is no grace period.

Sequence to avoid downtime: deploy code that reads the new secret from a configurable location → call rotateSecret → write the returned secret to that location. The deploy must be ready to accept the new secret before you rotate.

server/scripts/rotate-webhook-secret.ts
const rotated = await mb.webhooks.rotateSecret("wh_01J9YR9N3X4VZ6P2K5RH7M3LMP");
await secrets.put("MEDBLOCKS_WEBHOOK_SECRET", rotated.secret);

List Recent Deliveries

listEvents returns the per-endpoint delivery log. Useful for a dashboard view or for debugging a flaky receiver.

server/scripts/inspect-deliveries.ts
const page = await mb.webhooks.listEvents("wh_01J9YR9N3X4VZ6P2K5RH7M3LMP", { limit: 20 });
for (const evt of page.data) {
  console.log(evt.id, evt.type, evt.last_status_code, evt.attempts);
}

Each WebhookEventRecord carries attempts, next_attempt_at, delivered_at, last_status_code, last_response_body (truncated to 4 KB), and last_redelivered_at. Use these to spot endpoints climbing toward auto-disable.

Errors

SubclassWhen
MedblocksInvalidRequestErrorurl not HTTPS (outside localhost), unknown event type, or events empty.
MedblocksConflictErrorOrganization has reached its webhook endpoint limit (webhook_endpoint_limit_reached).
MedblocksNotFoundErrorretrieve, update, del, rotateSecret, listEvents with an id that doesn’t exist for your org.

See SDK · Errors.

Signatures

The Medblocks-Signature header, constructEvent, the raw-body trap, and the five failure reasons.

Retries & Auto-Disable

How Medblocks retries failed deliveries, when an endpoint gets auto-disabled, and how to bring it back.

On this page

CreateSubscribing To All EventsRetrieveListUpdateDeleteRotate SecretList Recent DeliveriesErrorsRelated