Webhooks

Webhooks

Receive real-time notifications when events occur in Zep

Webhooks allow your application to receive real-time notifications when specific events occur in Zep, such as when an episode finishes processing or a batch ingestion completes. Instead of polling for changes, Zep pushes event data directly to your server as HTTP POST requests.

Webhooks are only available on certain plans. See the Zep pricing page for details.

Why use webhooks

Webhooks enable event-driven architectures where your application reacts immediately to changes:

  • Episode processed notifications: Trigger downstream processing when new data is added to a graph
  • Batch completion alerts: Know when large data imports finish so you can start using the data
  • BYOM monitoring: Receive alerts when your own LLM credentials hit rate limits or fail, so you can respond to provider issues quickly
  • Reduced polling: Eliminate the need to continuously check for updates

Setting up webhooks

Webhooks are configured per project within the Webhooks page in the Zep Dashboard sidebar.

2

Create an endpoint

Add a new endpoint by providing:

  • Endpoint URL: The HTTPS URL on your server that will receive webhook events
  • Subscribed events: Select which events you want to receive (e.g., episode.processed, ingest.batch.completed)
3

Save your signing secret

After creating an endpoint, you’ll see a signing secret. Copy and securely store this secret—you’ll need it to verify that incoming webhooks are genuinely from Zep.

Available events

Graph events

EventDescription
episode.processedFired when an episode finishes processing and is added to the graph
ingest.batch.completedFired when a batch ingestion operation completes, includes the list of episode UUIDs from the batch

BYOM events

These events are specific to Bring Your Own LLM (BYOM) configurations. They notify you when requests using your own model credentials encounter rate limits or failures, so you can monitor and react to issues with your LLM provider configuration.

BYOM webhook events are aggregated rather than sent per-request. Zep accumulates events over a 60-second window and delivers a single webhook summarizing all occurrences in that period. This prevents webhook spam during bursts of errors or rate limiting.

EventDescription
byom.rate_limitedFired when BYOM requests are rejected due to rate limiting from your LLM provider
byom.request_failedFired when BYOM requests fail due to credential or provider issues (invalid credentials, expired credentials, provider unavailable, unsupported model)

Webhook payload schemas

Graph event payload

Graph events (episode.processed, ingest.batch.completed) include the following fields:

FieldDescription
event_nameThe type of event (e.g., episode.processed)
account_idYour Zep account identifier
project_uidThe project where the event occurred
graph_idThe graph identifier*
user_idThe user identifier*
graph_typeEither user or graph, indicating the graph type

*Only one of graph_id or user_id will be present in a given payload, depending on the graph type.

BYOM event payload

BYOM events (byom.rate_limited, byom.request_failed) include the following fields:

FieldDescription
event_nameThe type of event (byom.rate_limited or byom.request_failed)
account_uuidYour Zep account identifier
project_uuidThe project where the event occurred
providerThe LLM provider (e.g., openai, anthropic)
modelThe model name (e.g., gpt-4o, claude-3)
countNumber of occurrences in the aggregation window
first_occurrenceISO 8601 timestamp of the first event in the window
last_occurrenceISO 8601 timestamp of the last event in the window
window_secondsDuration of the aggregation window in seconds (minimum 60)
error_codeThe specific error code (byom.request_failed only)

BYOM error codes

The error_code field in byom.request_failed events indicates the specific failure reason:

Error codeDescription
BYOM_CREDENTIALS_INVALIDThe provided LLM credentials are invalid or missing required fields
BYOM_CREDENTIALS_EXPIREDThe provided LLM credentials have expired
BYOM_PROVIDER_UNAVAILABLEThe LLM provider is unavailable or unreachable
BYOM_MODEL_NOT_SUPPORTEDThe requested model is not supported by the provider

Receiving webhooks

Your webhook endpoint must:

  • Accept HTTP POST requests
  • Return a 2xx status code (200-299) within 15 seconds to acknowledge receipt
  • Disable CSRF protection for the webhook route if your framework enables it by default
1from flask import Flask, request
2
3app = Flask(__name__)
4
5@app.route("/webhooks/zep", methods=["POST"])
6def handle_webhook():
7    payload = request.get_data(as_text=True)
8    headers = request.headers
9
10    # Verify the webhook signature (see next section)
11    # Process the event
12    event = request.json
13    event_name = event.get("event_name")
14
15    if event_name == "episode.processed":
16        # Handle episode processed event
17        pass
18    elif event_name == "ingest.batch.completed":
19        # Handle batch completion event
20        pass
21    elif event_name == "byom.rate_limited":
22        # Handle BYOM rate limiting
23        pass
24    elif event_name == "byom.request_failed":
25        # Handle BYOM request failure
26        error_code = event.get("error_code")
27        pass
28
29    return "", 200

Verifying webhook signatures

Verifying webhook signatures is highly recommended. Without verification, attackers could send fake HTTP POST requests to your endpoint, potentially causing your application to process fraudulent data.

Zep signs every webhook with a cryptographic signature using your endpoint’s signing secret. Verifying this signature ensures that:

  • The webhook genuinely came from Zep
  • The payload hasn’t been tampered with in transit

Zep uses Svix to manage webhooks. The easiest way to verify signatures is with the Svix client libraries.

First, install the Svix library:

$pip install svix

Then verify incoming webhooks:

1from svix.webhooks import Webhook
2
3# Your signing secret from the Zep Dashboard
4WEBHOOK_SECRET = "whsec_..."
5
6def verify_webhook(payload: str, headers: dict) -> dict:
7    wh = Webhook(WEBHOOK_SECRET)
8
9    # This will raise an exception if verification fails
10    return wh.verify(payload, headers)
11
12# In your webhook handler:
13@app.route("/webhooks/zep", methods=["POST"])
14def handle_webhook():
15    payload = request.get_data(as_text=True)
16    headers = {
17        "svix-id": request.headers.get("svix-id"),
18        "svix-timestamp": request.headers.get("svix-timestamp"),
19        "svix-signature": request.headers.get("svix-signature"),
20    }
21
22    try:
23        event = verify_webhook(payload, headers)
24        # Process the verified event
25        return "", 200
26    except Exception as e:
27        print(f"Webhook verification failed: {e}")
28        return "", 400

The verification process requires the raw request body exactly as received. Many web frameworks automatically parse JSON bodies, which can break signature verification. Make sure to access the raw body before any parsing middleware runs.

Manual verification

If you prefer not to use the Svix libraries, you can verify signatures manually using HMAC-SHA256.

Every webhook includes three headers for verification:

  • svix-id: Unique message identifier
  • svix-timestamp: Unix timestamp (seconds since epoch)
  • svix-signature: Base64-encoded signatures (may include multiple, comma-separated)
1

Construct the signed content

Concatenate the svix-id, svix-timestamp, and the raw request body, separated by periods:

{svix-id}.{svix-timestamp}.{raw-body}
2

Calculate the expected signature

Use HMAC-SHA256 with your signing secret (base64-decoded, excluding the whsec_ prefix) to sign the content:

1const crypto = require('crypto');
2
3const signedContent = `${svixId}.${svixTimestamp}.${rawBody}`;
4const secret = "whsec_...";
5const secretBytes = Buffer.from(secret.split('_')[1], "base64");
6const expectedSignature = crypto
7    .createHmac('sha256', secretBytes)
8    .update(signedContent)
9    .digest('base64');
3

Compare signatures

The svix-signature header may contain multiple signatures prefixed with version numbers (e.g., v1,abc123). Remove the version prefix and compare against your calculated signature.

Use constant-time string comparison to prevent timing attacks.

4

Validate the timestamp

Compare the svix-timestamp against your server’s current time. Reject webhooks with timestamps more than 5 minutes old to prevent replay attacks.

For more details on manual verification, see the Svix documentation on manual verification.

Managing webhooks

The Webhooks tab in the Zep Dashboard provides several management features:

  • Disable/Enable: Temporarily stop receiving events without deleting your endpoint configuration
  • Activity logs: View the history of webhook deliveries and their status
  • Replay messages: Re-send failed webhooks for debugging or recovery
  • Rate limiting: Configure throttling to control the rate of incoming webhooks
  • Delete: Remove an endpoint entirely

Webhook configuration is project-specific. Each project has its own set of webhook endpoints and subscriptions. If you have multiple projects, you’ll need to configure webhooks separately for each one.

Changes to webhook configuration (including creating, updating, or deleting endpoints) take 5-10 minutes to propagate and take effect. This delay is due to a caching mechanism that ensures optimal performance across Zep’s infrastructure.

Pricing

Webhook deliveries consume credits. See the Zep pricing page for costs.

Best practices

  • Always verify signatures: Treat unverified webhooks as potentially malicious
  • Respond quickly: Return a 2xx response within 15 seconds to avoid timeout retries
  • Process asynchronously: If handling takes longer than a few seconds, acknowledge receipt immediately and process the event in a background job
  • Handle duplicates: Webhooks may occasionally be delivered more than once; use the svix-id header to deduplicate
  • Monitor failures: Check the activity logs in the Dashboard to identify and fix delivery issues

Further reading

For additional information on consuming webhooks: