List Platform webhook endpoints
Lists non-deleted webhook endpoints owned by the API key's customer account, sorted by `createdAt DESC, id DESC` (newest first), with forward-only cursor pagination as specified in `PLATFORM_API_ARCHITECTURE.md §10`.
/api/platform/v1/webhook-endpointsLists non-deleted webhook endpoints owned by the API key's customer account, sorted by createdAt DESC, id DESC (newest first), with forward-only cursor pagination as specified in PLATFORM_API_ARCHITECTURE.md §10.
Authorization
platformApiKey CuraeAI Platform API key using the format Bearer . Keys are opaque credentials such as cae_live_..., not JWTs.
In: header
Query Parameters
Page size (1..100). Defaults to 25 when omitted. Requests with values outside this range receive 400 BAD_REQUEST rather than being silently clamped, so a misconfigured client surfaces the bug immediately.
Opaque pagination cursor previously returned in pagination.nextCursor. Clients MUST treat the value as a black box and pass it through unchanged. Malformed or cross-endpoint cursors return 400 BAD_REQUEST.
Response Body
application/json
application/problem+json
curl -X GET "https://example.com/api/platform/v1/webhook-endpoints"{ "data": [ { "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08", "resourceType": "WebhookEndpoint", "url": "http://example.com", "eventTypes": [ "patient.created" ], "status": "ACTIVE", "consecutiveFailures": 0, "lastDeliveryAttemptAt": "2019-08-24T14:15:22Z", "lastSuccessfulDeliveryAt": "2019-08-24T14:15:22Z", "createdAt": "2019-08-24T14:15:22Z", "updatedAt": "2019-08-24T14:15:22Z", "_version": "string", "_links": { "self": { "href": "string" } } } ], "pagination": { "nextCursor": "string", "hasMore": true }, "_links": { "self": { "href": "string" } }}{ "type": "string", "title": "string", "status": 0, "detail": "string", "instance": "string", "code": "string", "details": {}, "retryable": true}Retrieve a Platform patient profile GET
Retrieves the patient profile resource visible to the API key. The route enforces, in order: API-key scope (`patient:read`), Platform authorization (SpiceDB tuple-constraint resolution), tenant membership, and an RLS-backed Prisma read. Authorization-layer denials — including cross-tenant access attempts — surface as `403 PLATFORM_ACCESS_DENIED` with a uniform message that does not reveal whether the patient exists in another tenant. Resources that pass authorization but are absent from the caller's tenant via the RLS-backed read resolve as `404 NOT_FOUND`. See `Docs/architecture/PLATFORM_API_ARCHITECTURE.md` §7.4 for the tenant-leak-safe error contract.
Create a Platform webhook endpoint POST
Creates a webhook endpoint for the API key's customer account. The signing secret is returned only in this response.