Webhooks

Overview

Firework Webhooks notify your application in real time when events occur on the platform. Instead of polling for changes, your server receives HTTP POST callbacks as events happen.

How It Works

┌──────────────┐         Event occurs         ┌──────────────┐
│   Firework   │  ──────────────────────────▶  │  Your Server │
│   Platform   │   HTTP POST with signed JSON  │  (Webhook    │
│              │                               │   Endpoint)  │
│              │  ◀──────────────────────────  │              │
│              │   2xx response                │              │
└──────────────┘                               └──────────────┘

An event occurs on Firework (e.g., video finishes processing)
Firework sends an HTTP POST request to your configured callback URL
The request includes a JSON payload describing the event and an HMAC signature for verification
Your server processes the event and responds with a 2xx status code

Available Event Types

This document covers video-related events only. Additional event types (e.g., livestream) may be documented separately.

Event Type

Description

video_created

Video created — transcoding complete or failed

video_updated

Video metadata or state changed after creation

video_import_failed

Async URL import failed (download error, validation error)

Configuration

Webhook endpoints are not self-service at this time. To set up webhooks for your business:

Contact the Firework IS team and provide:

Information

Description

Example

Callback URL

The HTTPS endpoint on your server that will receive webhook events

https://yourapp.com/webhooks/firework

Event types

Which event types you want to subscribe to

video_created, video_updated, video_import_failed

Business ID

Your Firework business identifier

AbCdEfG

After configuration, the IS team will provide you with:

Endpoint secret — Used to verify webhook signatures (see Signature Verification)

Important: Store your endpoint secret securely. If you suspect it has been compromised, contact the IS team to rotate it.

Delivery

Delivery Mechanics

Property

Value

HTTP Method

POST

Content-Type

application/json

Timeout

30 seconds per delivery attempt

Signature

HMAC-SHA256 in FW-Webhooks-Signature header

Success Criteria

A delivery is considered successful when your server responds with:

Status Code

Meaning

200

202

Accepted

204

No Content

Any other status code (or a timeout) is treated as a failure and triggers a retry.

Retry Policy

Failed deliveries are retried with increasing backoff:

Attempt

Backoff

1–3

1 hour

4–6

24 hours

Maximum 6 attempts per event delivery. After all attempts are exhausted, the event is dropped.

Signature Verification

Every webhook request includes an FW-Webhooks-Signature header. You must verify this signature before processing the payload to ensure the request is authentic.

Header Format

FW-Webhooks-Signature: t=1738152000000,v1=dGhpcyBpcyBhIHNhbXBsZSBzaWduYXR1cmU=

Component

Description

t

Unix timestamp in milliseconds when the signature was generated

v1

Base64-encoded HMAC-SHA256 signature

Verification Steps

Extract the t (timestamp) and v1 (signature) values from the header
Construct the signed payload string: {t}.{raw_request_body}
Compute HMAC-SHA256 of the signed payload using your endpoint secret
Base64-encode the result
Compare your computed signature with v1 using a constant-time comparison

Worked Example

Given:

Endpoint secret (provided by IS team): a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2

Signature header received:

FW-Webhooks-Signature: t=1738152300000,v1=K7vMFnQ3xYz...==

Raw request body received:

{"event_type":"video_created","version":"2023-06-06","created":1738152300,"business_id":"AbCdEfG","data":{"id":"xyz123","status":"approved","import_id":null,"access":"public","audio_disabled":false,"caption":"My Video","description":null,"hashtags":[],"archived_at":null,"product_ids":[],"custom_fields":{},"display_social_attributions":true,"external_media":null}}

Step 1 — Parse the header:

t  = "1738152300000"
v1 = "K7vMFnQ3xYz...=="

Step 2 — Concatenate t + . + raw request body:

1738152300000.{"event_type":"video_created","version":"2023-06-06","created":1738152300,"business_id":"AbCdEfG","data":{"id":"xyz123","status":"approved","import_id":null,"access":"public","audio_disabled":false,"caption":"My Video","description":null,"hashtags":[],"archived_at":null,"product_ids":[],"custom_fields":{},"display_social_attributions":true,"external_media":null}}

Step 3 — HMAC-SHA256 this string using your endpoint secret as the key.

Step 4 — Base64-encode the HMAC result.

Step 5 — Compare your Base64 result with v1. If they match, the webhook is authentic.

Important: Use the raw request body exactly as received (do not re-serialize the JSON). JSON key ordering and whitespace must match exactly for the signature to verify.

Tip: Optionally check the timestamp t to reject stale requests (e.g., older than 5 minutes) to prevent replay attacks.

Example: Python

import hmac
import hashlib
import base64

def verify_webhook(payload_body: str, signature_header: str, secret: str) -> bool:
    t_part, v1_part = signature_header.split(",", 1)
    timestamp = t_part[2:]
    expected_sig = v1_part[3:]

    signed_payload = f"{timestamp}.{payload_body}"
    computed = hmac.new(
        secret.encode(), signed_payload.encode(), hashlib.sha256
    ).digest()
    computed_sig = base64.b64encode(computed).decode()

    return hmac.compare_digest(computed_sig, expected_sig)

Example: Node.js

const crypto = require("crypto");

function verifyWebhook(payloadBody, signatureHeader, secret) {
  const [tPart, v1Part] = signatureHeader.split(",");
  const timestamp = tPart.substring(2);
  const expectedSig = v1Part.substring(3);

  const signedPayload = `${timestamp}.${payloadBody}`;
  const computedBuf = crypto
    .createHmac("sha256", secret)
    .update(signedPayload)
    .digest();
  const expectedBuf = Buffer.from(expectedSig, "base64");

  if (computedBuf.length !== expectedBuf.length) return false;

  return crypto.timingSafeEqual(computedBuf, expectedBuf);
}

Example: Elixir

def verify_webhook(payload_body, signature_header, secret) do
  ["t=" <> timestamp, "v1=" <> expected_sig] = String.split(signature_header, ",")

  signed_payload = "#{timestamp}.#{payload_body}"

  computed_sig =
    :crypto.mac(:hmac, :sha256, secret, signed_payload)
    |> Base.encode64()

  Plug.Crypto.secure_compare(computed_sig, expected_sig)
end

Event Payload

Envelope Schema

All webhook events share the same envelope structure:

{
  "event_type": "video_created",
  "version": "2023-06-06",
  "created": 1738152000,
  "business_id": "AbCdEfG",
  "data": { ... }
}

Field

Type

Description

event_type

string

Event type identifier (e.g., "video_created")

version

string

Payload schema version (currently "2023-06-06")

created

integer

Unix timestamp (seconds) when the event was generated

business_id

string

Encoded ID of the business that owns the resource

data

object

Event-specific payload — varies by event type (see Section 6)

Video Data Object

Used by video_created and video_updated events. The payload mirrors GET /api/v1/videos/{id} with additional webhook-specific fields (status, import_id), so consumers do not need a follow-up GET call.

Field

Type

Nullable

Description

id

string

❌

Encoded video ID

status

string

❌

Current video status (see status values below)

import_id

string

✅

Encoded import job ID. Present only for videos created via async URL import.

access

string

❌

Video visibility: "public" or "private"

audio_disabled

boolean

❌

Whether the video audio is muted

caption

string

✅

Video title/caption

description

string

✅

Video description

hashtags

string[]

❌

List of hashtags (empty array if none)

archived_at

string

✅

ISO 8601 timestamp if archived, null otherwise

product_ids

string[]

❌

List of encoded product IDs tagged on the video (empty array if none)

custom_fields

object

❌

Key-value map of custom metadata fields (empty object if none)

display_social_attributions

boolean

✅

Whether to display social attribution overlays

external_media

object

✅

External media source info (see below), or null

External Media Object

Present only when the video was imported from an external source.

Field

Type

Description

source

string

Platform name (e.g., "instagram")

username

string

Original creator's username

url

string

Original content URL

Video Status Values

Status

Description

pending

Video is being transcoded — not yet ready

approved

Transcoding complete — video is ready for playback

errored

Transcoding failed

Note: video_created fires with "approved" status on successful transcoding, or "errored" status on transcoding failure. video_updated only fires for videos that have already received a video_created event.

Import Data Object

Used by video_import_failed events. No video record exists when this event fires. Use GET /api/v1/videos/imports/{import_id} to fetch import job details.

Field

Type

Nullable

Description

import_id

string

❌

Encoded import job ID

reason

string

❌

Machine-readable failure code (see table below)

Import Failure Reason Values

Reason

Description

download_failed

Could not download the file (timeout, 404, network error)

invalid_format

File is not a supported video format

duration_out_of_range

Video shorter than 3s or longer than 1h

file_size_exceeded

File exceeds 5GB limit

internal_error

Unexpected server-side error

Video Events

`video_created`

Fired when a video's transcoding completes (successfully or with failure). The data field contains the full video resource (same fields as GET /api/v1/videos/{id}).

When it fires:

After transcoding completes and the video status transitions to "approved" — the video is ready for playback
After transcoding fails and the video status transitions to "errored"

Example — file upload / S3 key:

{
  "event_type": "video_created",
  "version": "2023-06-06",
  "created": 1738152300,
  "business_id": "AbCdEfG",
  "data": {
    "id": "encoded_video_id_xyz123",
    "status": "approved",
    "import_id": null,
    "access": "public",
    "audio_disabled": false,
    "caption": "My Video Title",
    "description": "A short description",
    "hashtags": ["demo", "product"],
    "archived_at": null,
    "product_ids": ["encoded_product_1"],
    "custom_fields": {},
    "display_social_attributions": true,
    "external_media": null
  }
}

Example — async URL import:

{
  "event_type": "video_created",
  "version": "2023-06-06",
  "created": 1738152300,
  "business_id": "AbCdEfG",
  "data": {
    "id": "encoded_video_id_xyz123",
    "status": "approved",
    "import_id": "encoded_import_abc123",
    "access": "public",
    "audio_disabled": false,
    "caption": "Imported Video",
    "description": null,
    "hashtags": [],
    "archived_at": null,
    "product_ids": [],
    "custom_fields": {},
    "display_social_attributions": true,
    "external_media": null
  }
}

If the status is "approved", the video is ready for playback. If the status is "errored", transcoding failed. If import_id is present, you can also check GET /api/v1/videos/imports/{import_id} for import job details.

Example — transcoding failed:

{
  "event_type": "video_created",
  "version": "2023-06-06",
  "created": 1738153000,
  "business_id": "AbCdEfG",
  "data": {
    "id": "encoded_video_id_xyz123",
    "status": "errored",
    "import_id": null,
    "access": "public",
    "audio_disabled": false,
    "caption": "My Video Title",
    "description": null,
    "hashtags": [],
    "archived_at": null,
    "product_ids": [],
    "custom_fields": {},
    "display_social_attributions": true,
    "external_media": null
  }
}

`video_updated`

Fired when a video's state or metadata changes after a video_created event has been sent. The data field contains the full video resource after the update (same fields as GET /api/v1/videos/{id}), so consumers do not need a follow-up GET call.

When it fires:

After a metadata update (caption, description, access, hashtags, products, poster, etc.)
After any other video state change (admin actions, automations, AICC, etc.)

This event only fires for videos that have already received a video_created event (i.e., videos with "approved" status). It does not fire for transcoding failures — those are covered by video_created with "errored" status.

Example — metadata update via PATCH:

{
  "event_type": "video_updated",
  "version": "2023-06-06",
  "created": 1738153500,
  "business_id": "AbCdEfG",
  "data": {
    "id": "encoded_video_id_xyz123",
    "status": "approved",
    "import_id": null,
    "access": "public",
    "audio_disabled": false,
    "caption": "Updated Title",
    "description": "New description",
    "hashtags": ["sale", "new"],
    "archived_at": null,
    "product_ids": ["encoded_product_1", "encoded_product_2"],
    "custom_fields": { "sku": "ABC-123" },
    "display_social_attributions": true,
    "external_media": null
  }
}

If import_id is present, you can also check GET /api/v1/videos/imports/{import_id} for import job details.

`video_import_failed`

Fired when an async URL import fails before a video record is created. This covers failures during download, URL validation, or file validation.

When it fires:

Download from the source URL fails (timeout, 404, network error)
Downloaded file fails validation (invalid format, duration out of range, file size exceeded)

This event only applies to async URL imports (POST /api/v1/videos with "async": true). It does not fire for transcoding failures — those are covered by video_created with "errored" status.

Example — download failed:

{
  "event_type": "video_import_failed",
  "version": "2023-06-06",
  "created": 1738153000,
  "business_id": "AbCdEfG",
  "data": {
    "import_id": "encoded_import_abc123",
    "reason": "download_failed"
  }
}

Example — invalid file:

{
  "event_type": "video_import_failed",
  "version": "2023-06-06",
  "created": 1738153000,
  "business_id": "AbCdEfG",
  "data": {
    "import_id": "encoded_import_abc123",
    "reason": "invalid_format"
  }
}

Use GET /api/v1/videos/imports/{import_id} to fetch the import job details.

Best Practices

Respond Quickly

Your webhook endpoint should return a 2xx response within 30 seconds. If you need to perform lengthy processing, acknowledge the webhook immediately and process asynchronously.

# Good: acknowledge first, process later
POST /webhooks/firework → 200 OK (immediate)
  └─▶ enqueue background job for processing

Verify Signatures

Always verify the FW-Webhooks-Signature header before processing webhook payloads. This protects against spoofed requests. See Section Signature Verification for implementation details.

Handle Duplicates

In rare cases, the same event may be delivered more than once. Design your handler to be idempotent — processing the same event twice should not cause issues.

Deduplication key: event_type + data.id + created (for video_import_failed, use data.import_id instead of data.id)

Use HTTPS

Always use an HTTPS callback URL. Firework will not deliver webhooks to plain HTTP endpoints.

PreviousPlaylist NextIntegration Guide for Android SDK

Last updated 1 hour ago

Was this helpful?

hashtagOverview

hashtagHow It Works

hashtagAvailable Event Types

hashtagConfiguration

hashtagDelivery

hashtagDelivery Mechanics

hashtagSuccess Criteria

hashtagRetry Policy

hashtagSignature Verification

hashtagHeader Format

hashtagVerification Steps

hashtagWorked Example

hashtagExample: Python

hashtagExample: Node.js

hashtagExample: Elixir

hashtagEvent Payload

hashtagEnvelope Schema

hashtagVideo Data Object

hashtagImport Data Object

hashtagVideo Events

hashtag video_created

hashtagvideo_updated

hashtagvideo_import_failed

hashtagBest Practices

hashtagRespond Quickly

hashtagVerify Signatures

hashtagHandle Duplicates

hashtagUse HTTPS

Overview

How It Works

Available Event Types

Configuration

Delivery

Delivery Mechanics

Success Criteria

Retry Policy

Signature Verification

Header Format

Verification Steps

Worked Example

Example: Python

Example: Node.js

Example: Elixir

Event Payload

Envelope Schema

Video Data Object

Import Data Object

Video Events

`video_created`

`video_updated`

`video_import_failed`

Best Practices

Respond Quickly

Verify Signatures

Handle Duplicates

Use HTTPS