Creates a new webhook subscription for a line. The server generates an HMAC secret returned once on creation (also visible in the dashboard).
POST /your-endpoint HTTP/1.1
Content-Type: application/json
X-Webhook-Signature: <hex hmac>
X-Webhook-Timestamp: <unix ms>
X-Webhook-Delivery-Id: dlv_<uuid>
{
"event": "message.received",
"data": { ... },
"timestamp": <unix ms>,
"delivery_id": "dlv_..."
}
X-Webhook-Signature is the lowercase hex HMAC-SHA256 of
${timestamp}.${rawBody} using the webhook secret. Verifiers should
use the X-Webhook-Timestamp header (or the timestamp field in the
body) to construct the signed payload, and reject deliveries whose
timestamp is more than 5 minutes off (replay protection).
The @messages-dev/sdk package’s verifyWebhook() helper performs
all of this for you, including timing-safe comparison.
Documentation Index
Fetch the complete documentation index at: https://messages.dev/docs/llms.txt
Use this file to discover all available pages before exploring further.
Use an API key as a bearer token: Authorization: Bearer sk_live_...
Each key has a set of scopes that gate which endpoints it can call:
messages:read, messages:write, chats:read, lines:read,
reactions:read, reactions:write, typing:read, typing:write,
receipts:read, receipts:write, webhooks:read, webhooks:write,
outbox:read, files:read, files:write. Keys can also be restricted
to a subset of lines.
Line handle (phone number or Apple ID) to subscribe to
"+15551234567"
HTTPS URL to receive webhook deliveries
"https://example.com/webhooks"
Events to subscribe to. See the schemas
MessageReceivedEvent, MessageSentEvent,
ReactionAddedEvent, ReactionRemovedEvent below for the
data payload of each event.
Typing indicators (typing.started / typing.stopped)
and inbound read receipts (receipt.read) are not
delivered today; they will return when the underlying
macOS-side detection layer surfaces them.
message.received, message.sent, reaction.added, reaction.removed ["message.received", "message.sent"]