# Duvo Webhooks

Duvo webhooks let approved workspaces subscribe to run, case, assignment, approval, and integration events. Webhook subscriptions require workspace admin access.

## Event Categories

- run.started, run.paused, run.completed, run.failed
- run.message.created, run.tool_call.completed, run.file.created
- human_request.created, human_request.responded
- queue.case.created, queue.case.claimed, queue.case.completed
- assignment.build.published
- connection.updated, connection.action_required

## Delivery Expectations

- Payloads are JSON.
- Delivery should be retried for transient 5xx responses.
- Consumers should use idempotency keys or event IDs because retries can duplicate events.
- Production endpoints should verify HMAC signatures and reject stale timestamps.
- Webhook secrets should be rotated when ownership or integration scope changes.

## Signature Verification

Webhook consumers should verify the Duvo signature header against the raw request body with the workspace webhook secret before acting on an event. Reject payloads with missing signatures, stale timestamps, or mismatched HMAC values.