# Webhooks — event subscriptions

> **TL;DR for agents:** Create: `POST /api/webhooks {url, events, secret}`. List deliveries: `GET /api/webhooks/:id/deliveries`. Retry: `POST /api/webhooks/deliveries/:id/retry`. Each request carries `X-LDM-Signature: sha256=<hmac>`.

## Create a webhook subscription

Scope: `webhooks:write`. `events` is an array — supported: `lead.created`, `lead.moved`, `lead.won`, `lead.lost`, `dialog.received`, `dialog.replied`, `task.completed`, `task.failed`.

```bash
curl -s -X POST "https://api.live-direct-marketing.online/api/webhooks" \
  -H "Authorization: Bearer $LDM_KEY" -H "Content-Type: application/json" \
  -d '{
    "url":"https://my-agent.example.com/hooks/ldm",
    "events":["lead.moved","dialog.received","task.completed"],
    "secret":"shared-hmac-secret-32-chars-min"
  }'
```

## Verify the HMAC

```bash
# Header: X-LDM-Signature: sha256=<hex>
signature=$(echo -n "$RAW_BODY" | openssl dgst -sha256 -hmac "$SECRET" -hex)
# expected: signature == request header value
```

## Inspect deliveries + retry failed

```bash
curl -s "https://api.live-direct-marketing.online/api/webhooks/$WEBHOOK_ID/deliveries?status=FAILED" \
  -H "Authorization: Bearer $LDM_KEY"

curl -s -X POST "https://api.live-direct-marketing.online/api/webhooks/deliveries/$DELIVERY_ID/retry" \
  -H "Authorization: Bearer $LDM_KEY"
```