Webhooks — NoteGate™ Note Lifecycle Events

Available events

Events live today

Register a webhook endpoint via the admin dashboard. NoteGate will POST a signed JSON payload to your endpoint for each event. All events include a X-NoteGate-Signature header for verification.

note.authored Live today

Emitted when a worker completes the compliant note-taking workflow and the note is submitted. Payload includes the compliant note content, participant ID, shift ID, compliance result, and audit metadata.

Payload

{
  "event": "note.authored",
  "event_id": "evt_abc123",
  "created_at": "2026-05-07T09:15:00.000Z",
  "tenant_id": "tenant_xyz",
  "data": {
    "note_id": "note_ghi012",
    "participant_id": "p_abc123",
    "worker_id": "w_xyz789",
    "shift_id": "shift_def456",
    "sector": "ndis",
    "shift_date": "2026-05-07",
    "compliance_result": {
      "passed": true,
      "flags": []
    },
    "narrative": "At 08:00 the participant was administered...",
    "audit_trail_id": "audit_jkl345",
    "submitted_at": "2026-05-07T09:15:00.000Z"
  }
}

Coming with launch partners

Q2 2026 events

These events are planned for the launch partner program integration phase. They are not available today.

note.submitted_to_crm Coming Q2 2026

Emitted when the compliant note is successfully written to the originating CRM's notes record. Payload includes both the NoteGate note ID and the CRM-side note ID so you can reconcile the records.

note.submission_failed Coming Q2 2026

Emitted when the outbound write to the CRM fails after all retry attempts. Payload includes the failure reason and retry status so your team can act before the note is lost.

mapping.updated Coming Q2 2026

Emitted when a tenant admin updates the field mapping override set via POST /v1/admin/mappings. Useful for audit logging in your own systems.

Security

Verifying webhook signatures

All webhook payloads are signed with HMAC-SHA256 using a per-tenant secret. Verify the signature before processing any event.

The signing secret is shown once in your tenant admin dashboard when you register the webhook endpoint. Store it securely. If compromised, rotate it in the dashboard and update your endpoint.

Signature header

NoteGate sends the signature in the X-NoteGate-Signature header in the format sha256=<hex_digest>. The digest is computed over the raw request body using your tenant's webhook secret.

JavaScript verification example

const crypto = require('crypto');

function verifyWebhook(rawBody, signatureHeader, secret) {
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');
  // Constant-time comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(signatureHeader),
    Buffer.from(expected)
  );
}

// Express example
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
  const sig = req.headers['x-notegate-signature'];
  if (!verifyWebhook(req.body, sig, process.env.NOTEGATE_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }
  const event = JSON.parse(req.body);
  // Handle event...
  res.status(200).send('OK');
});

Python verification example

import hmac
import hashlib

def verify_webhook(raw_body: bytes, signature_header: str, secret: str) -> bool:
    expected = 'sha256=' + hmac.new(
        secret.encode(), raw_body, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature_header, expected)

# Flask example
from flask import Flask, request, abort
app = Flask(__name__)

@app.route('/webhook', methods=['POST'])
def webhook():
    sig = request.headers.get('X-NoteGate-Signature', '')
    if not verify_webhook(request.get_data(), sig, NOTEGATE_WEBHOOK_SECRET):
        abort(401)
    event = request.get_json(force=True)
    # Handle event...
    return '', 200

Timestamp tolerance

Each payload includes a created_at ISO 8601 timestamp. Reject payloads where created_at is more than 5 minutes old to prevent replay attacks. NoteGate does not include a separate timestamp in the signature, so use created_at for freshness checks.

Reliability

Retry policy

If your endpoint returns a non-2xx response, NoteGate retries with exponential backoff up to 5 attempts over 24 hours.

Attempt	Delay
1	Immediate
2	5 minutes
3	30 minutes
4	2 hours
5	22 hours

After 5 failed attempts, the event is moved to a dead-letter queue visible in your tenant admin dashboard. Dead-letter visibility is coming Q2 2026 — contact api@notegate.com.au if you need a failed event replayed before then.

Get started

Register a webhook endpoint

Webhook endpoints are registered in your NoteGate tenant admin dashboard under Settings › Webhooks. Your endpoint must:

Accept HTTPS POST requests
Respond with a 2xx status within 10 seconds
Process the event asynchronously if handling takes longer

To request sandbox access for webhook testing, email api@notegate.com.au with the subject "Webhook sandbox access".

Webhook events