← Docs For developers

Webhooks & Integrations

Receive a signed HTTP POST whenever a video is transcribed or analyzed, and route it into your own systems.

How It Works

You register a destination URL in the app's Webhooks screen and choose which events to receive. When an event fires, WATCH4ME sends a POST with a JSON body to your URL. Every delivery is HMAC-signed so you can verify authenticity.

Example Payload

The exact fields are shown in your webhook settings — treat this as an illustrative shape and confirm the live fields there.

{
  "event": "ai_summary_ready",
  "video": {
    "id": "abc123",
    "title": "Building reliable webhooks",
    "url": "https://www.youtube.com/watch?v=abc123",
    "channelTitle": "Example Channel"
  },
  "summary": "Short AI-generated summary of the video…",
  "topics": ["webhooks", "automation", "reliability"],
  "createdAt": "2026-06-29T10:00:00Z"
}

Verifying the Signature

WATCH4ME signs the raw request body with your signing secret (HMAC-SHA256) and sends the result in a signature header. Recompute it on your side and compare in constant time:

import crypto from 'node:crypto';

// Recompute the HMAC over the RAW request body and compare in constant time.
export function verifySignature(rawBody, signatureHeader, signingSecret) {
  const expected = crypto
    .createHmac('sha256', signingSecret)
    .update(rawBody)
    .digest('hex');
  const a = Buffer.from(expected);
  const b = Buffer.from(signatureHeader || '');
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}

A Minimal Receiver (Express)

Always verify against the raw body — parsing first can change bytes and break the signature.

import express from 'express';

const app = express();

// IMPORTANT: use the raw body so the signature matches byte-for-byte.
app.post('/webhooks/watchforme', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.header('X-WATCH4ME-Signature');
  if (!verifySignature(req.body, sig, process.env.WATCHFORME_SIGNING_SECRET)) {
    return res.status(401).send('invalid signature');
  }
  const payload = JSON.parse(req.body.toString('utf8'));
  // handle payload.event …
  res.sendStatus(200); // ack quickly; do slow work async
});

Best Practices

  • Respond 2xx fast, then do heavy work asynchronously.
  • Make handlers idempotent — the same event may be delivered more than once.
  • Store the signing secret securely (env var, never in client code).
  • Log deliveries; the app also keeps a delivery history you can review.

No-Code Options

Point the webhook at Zapier, Make or n8n to fan results out to hundreds of apps without writing a receiver.