Skip to main content

API Webhooks, Test Plans, and API Token Info

· 3 min read
Jan Wittkamp
Jan Wittkamp
CEO @ Memida GmbH

In the world of APIs, standing still is not an option. With this update, we significantly expand the functionality of the Memida API: the introduction of webhooks enables real-time notifications, while the new test plan endpoints allow for more precise management and integration of test plans. Additionally, the extended API token info provides more context and security for your applications. This update is another step toward making your processes more efficient and secure.

Fig. 1 Memida API

New Webhook API

New Endpoints

  • GET /api/v1/webhooks/subscriptions
  • POST /api/v1/webhooks/subscriptions
  • PUT /api/v1/webhooks/subscriptions/{id}
  • DELETE /api/v1/webhooks/subscriptions/{id}
  • POST /api/v1/webhooks/subscriptions/{id}/test

Key Rules

  • Each subscription allows exactly one event_type.
  • target_url and event_type are immutable after creation.
  • For URL or event changes, a new subscription must be created.
  • description is available as a free field for frontend/user context.
  • Event types are documented directly in the OpenAPI documentation.

Current Event Types

  • apparatus.created
  • apparatus.updated
  • inspection.created
  • inspection.updated

Outgoing Webhooks

Outgoing headers:

  • X-Memida-Id
  • X-Memida-Event
  • X-Memida-Timestamp
  • X-Memida-Signature (v1=<hmac>)

Signature generation:

HMAC-SHA256(secret, timestamp + "." + rawJsonBody)

An example for validating the signature can be found in the API documentation under Webhooks.

Payload includes:

  • event_id, event_type, organization_id (UUID), company_id (UUID)
  • data.resource.{type,id,api_path}
  • optional data.changed
  • optional data.changed_fields (if delta is missing or incomplete)

Delivery semantics:

  • at-least-once
  • Recipients should deduplicate using event_id

Retries/Deactivation:

  • Retry backoff is active.
  • A subscription is deactivated after 20 consecutive failures.

Security:

  • HTTPS targets only
  • SSRF protection (no private/local targets, no URL credentials)
  • No redirect follow
  • Timeout: connect 3s, total 10s

User View

Fig. 2 Webhook User View

Webhooks can also be created (1), viewed, and deprecated by an admin in the user area. To easily test functionality, test requests can be generated (3), and webhooks can be deactivated (2) when no longer needed. The secret is automatically generated and shown to the user only once. Be sure to copy the secret and verify it whenever a webhook event is triggered.

API Token Info

GET /api/v1/info now additionally provides:

  • organization_id (UUID)
  • company_id (UUID)

This allows clients to uniquely associate incoming webhooks with the correct organization and token context.

Test Plans API

New Endpoints

  • GET /api/v1/testplans (Pagination, filter apparatus_id, sort/page/limit)
  • POST /api/v1/testplans (JSON or multipart with files)
  • GET /api/v1/testplans/{testplan_id}
  • PUT /api/v1/testplans/{testplan_id} (including optional file uploads)

New information on how to use the feature can be found in our manual under Manual.