docs/content/rest/orgs/webhooks.md

---
title: Organization webhooks
allowTitleToDifferFromFilename: true
shortTitle: Webhooks
intro: Use the REST API to interact with webhooks in an organization.
versions: # DO NOT MANUALLY EDIT. CHANGES WILL BE OVERWRITTEN BY A 🤖
  fpt: '*'
  ghae: '*'
  ghec: '*'
  ghes: '*'
topics:
  - API
autogenerated: rest
---

## About organization webhooks

Organization webhooks allow you to receive HTTP `POST` payloads whenever certain events happen in an organization. For more information, see "[AUTOTITLE](/webhooks-and-events/webhooks/about-webhooks)."

### Scopes and restrictions

All actions against organization webhooks require the authenticated user to be an admin of the organization being managed. Additionally, OAuth tokens require the `admin:org_hook` scope. For more information, see "[AUTOTITLE](/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps)."

In order to protect sensitive data which may be present in webhook configurations, we also enforce the following access control rules:

- {% data variables.product.prodname_oauth_apps %} cannot list, view, or edit webhooks which they did not create.
- Users cannot list, view, or edit webhooks which were created by {% data variables.product.prodname_oauth_apps %}.

### Receiving Webhooks

In order for {% data variables.product.product_name %} to send webhook payloads, your server needs to be accessible from the Internet. We also highly suggest using SSL so that we can send encrypted payloads over HTTPS.

For more best practices, [see our guide](/rest/guides/best-practices-for-integrators).

#### Webhook headers

{% data variables.product.product_name %} will send along several HTTP headers to differentiate between event types and payload identifiers. See [webhook headers](/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers) for details.

<!-- Content after this section is automatically generated -->