> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getdialed.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Update a webhook

> Partial update — enable/disable, rebind the Definition (ownership re-validated), or edit the input template. Secret rotation is a separate endpoint. Cross-tenant access returns 404, never 403.



## OpenAPI

````yaml /openapi.json patch /webhooks/{webhook_id}
openapi: 3.1.0
info:
  title: GetDialed Flows API
  version: 0.1.0
servers:
  - url: https://api.getdialed.ai/flows
    description: Production
  - url: http://localhost:8000
    description: Local development
security: []
paths:
  /webhooks/{webhook_id}:
    patch:
      tags:
        - webhooks
      summary: Update a webhook
      description: >-
        Partial update — enable/disable, rebind the Definition (ownership
        re-validated), or edit the input template. Secret rotation is a separate
        endpoint. Cross-tenant access returns 404, never 403.
      operationId: patch_webhook_webhooks__webhook_id__patch
      parameters:
        - name: webhook_id
          in: path
          required: true
          schema:
            type: string
            title: Webhook Id
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WebhookConfigUpdate'
      responses:
        '200':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WebhookConfigResponse'
        '401':
          description: Missing or invalid authentication
          content:
            application/json:
              example:
                detail: Authentication required
        '403':
          description: Admin role required
          content:
            application/json:
              example:
                detail: Admin role required
        '404':
          description: Not found — also returned on cross-tenant access (never 403)
          content:
            application/json:
              example:
                detail: Webhook not found
        '422':
          description: Validation error (see body for field details)
          content:
            application/json:
              example:
                detail: Validation error
        '429':
          description: Rate limit exceeded — retry after the Retry-After header
          content:
            application/json:
              example:
                detail: Rate limit exceeded
      security:
        - APIKeyHeader: []
        - HTTPBearer: []
components:
  schemas:
    WebhookConfigUpdate:
      properties:
        definition_id:
          anyOf:
            - type: string
            - type: 'null'
          title: Definition Id
        description:
          anyOf:
            - type: string
              maxLength: 200
              minLength: 1
            - type: 'null'
          title: Description
        input_template:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Input Template
        dispatch_retry:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Dispatch Retry
        rate_limit:
          anyOf:
            - type: integer
              exclusiveMinimum: 0
            - type: 'null'
          title: Rate Limit
        enabled:
          anyOf:
            - type: boolean
            - type: 'null'
          title: Enabled
      additionalProperties: false
      type: object
      title: WebhookConfigUpdate
      description: >-
        PATCH /webhooks/{id} body — partial semantics; mode/provider immutable.


        Router uses `body.model_dump(exclude_unset=True)`. `mode`/`provider` are

        intentionally omitted — they are not mutable once a config exists.


        `description`/`enabled`/`definition_id` keep their `| None` typing ONLY
        so

        they stay unset-omittable for partial semantics — an explicit JSON null
        for

        any of them is rejected with 422 at the router (CR-04 / T-41-35),
        because

        the underlying WebhookConfig fields are required non-null and a null
        $set

        would corrupt the stored document. `input_template`/`dispatch_retry`/

        `rate_limit` are legitimately nullable and remain clearable with null.
    WebhookConfigResponse:
      properties:
        id:
          type: string
          title: Id
        definition_id:
          type: string
          title: Definition Id
        org_id:
          type: string
          title: Org Id
        description:
          type: string
          title: Description
        mode:
          type: string
          title: Mode
        provider:
          type: string
          title: Provider
        input_template:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Input Template
        dispatch_retry:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Dispatch Retry
        rate_limit:
          anyOf:
            - type: integer
            - type: 'null'
          title: Rate Limit
        enabled:
          type: boolean
          title: Enabled
        created_at:
          type: string
          format: date-time
          title: Created At
        updated_at:
          type: string
          format: date-time
          title: Updated At
      type: object
      required:
        - id
        - definition_id
        - org_id
        - description
        - mode
        - provider
        - input_template
        - dispatch_retry
        - rate_limit
        - enabled
        - created_at
        - updated_at
      title: WebhookConfigResponse
      description: |-
        GET response — NEVER carries the signing secret (T-41-05).

        Surfaces `rate_limit` + `dispatch_retry` so admins can read back the
        current policy.
      example:
        created_at: '2026-07-09T09:00:00Z'
        definition_id: def_a1b2c3d4
        description: Inbound Stripe payment webhook
        enabled: true
        id: wh_1a2b3c4d5e6f
        input_template:
          amount: '{{ payload.data.object.amount }}'
        mode: trigger
        org_id: org_e5f6g7h8
        provider: standard
        rate_limit: 1000
        updated_at: '2026-07-09T09:00:00Z'
  securitySchemes:
    APIKeyHeader:
      type: apiKey
      in: header
      name: X-API-Key
    HTTPBearer:
      type: http
      scheme: bearer
      bearerFormat: JWT

````