API Keys & Webhooks
Owlat provides API keys for programmatic access and outbound webhooks for real-time event notifications. Together, they let you integrate Owlat into your...
Owlat provides API keys for programmatic access and outbound webhooks for real-time event notifications. Together, they let you integrate Owlat into your application stack — syncing contacts, triggering transactional emails, and reacting to email events like bounces and clicks.
API keys
Creating an API key
- Open Settings > API.
- Click Create API Key.
- Give the key a descriptive name (e.g., "Production Backend" or "Staging Sync").
- Copy the key immediately — it won't be shown again.
Store your API key securely. Never commit it to source control, include it in client-side code, or share it in plain text. Use environment variables or a secrets manager.
Using your API key
Include the API key in requests to the Owlat API. See the API documentation for authentication details, available endpoints, and SDK options.
Common API use cases:
- Creating and updating contacts from your application
- Sending transactional emails (password resets, notifications)
- Tracking custom events for automation triggers
- Managing list memberships programmatically
Revoking a key
If a key is compromised or no longer needed:
- Open Settings > API.
- Find the key and click Revoke.
- The key stops working immediately.
Rotate your API keys on a regular schedule — even if they haven't been compromised. This limits the blast radius if a key is ever leaked.
Webhooks
Webhooks are outbound HTTP calls that Owlat sends to your server when events happen — like an email being delivered, a link being clicked, or a contact unsubscribing.
Setting up a webhook
- Open Settings > Webhooks.
- Click Add Webhook.
- Enter your endpoint URL — the URL on your server that will receive the webhook payloads.
- Select the events you want to subscribe to.
- Save the webhook.
Available events
Owlat can notify you about events across several categories:
- Delivery events — email delivered, bounced, or deferred
- Engagement events — email opened, link clicked
- Subscription events — contact unsubscribed, complaint filed
- Contact events — contact created, updated
Subscribe only to the events you need. Processing unnecessary webhooks wastes resources on both sides.
Delivery logs
Each webhook endpoint shows a delivery log so you can monitor:
- Recent payloads sent to your endpoint
- HTTP response status codes
- Failed deliveries and retry attempts
If your endpoint is down or returning errors, webhooks will be retried automatically. Check the delivery log to diagnose issues.
Secret verification
Each webhook includes a signature that you can verify to confirm the payload came from Owlat and hasn't been tampered with. See the API documentation for verification details and code examples.
Always verify webhook signatures in production. Without verification, anyone who discovers your endpoint URL could send fake payloads.
Best practices
- Use descriptive key names — "Production App v2" tells you more than "Key 1" when you're reviewing your keys six months later.
- Separate keys by environment — use different API keys for development, staging, and production.
- Monitor webhook delivery — check the delivery logs periodically to catch endpoint issues before they impact your integration.
- Revoke unused credentials — remove old API keys and inactive webhook endpoints regularly.
Next steps
- API documentation — full API reference and SDK guides
- Transactional Emails — send triggered emails via the API
- Automations — trigger workflows from custom events
- Team & Permissions — control who can manage API keys