Skip to main content
WEBHOOK
official.joined
{
  "id": "<string>",
  "createdAt": "2023-11-07T05:31:56Z",
  "data": {
    "leagueId": "<string>",
    "userId": "<string>",
    "role": "<string>",
    "status": "<string>",
    "externalId": "<string>",
    "source": "<string>"
  }
}

Authorizations

Authorization
string
header
required

Partner API key: Authorization: Bearer whk_…. Keys are issued by the Whistle team (email tommy@huddleup-sports.com), shown once at issuance, and bound to your source namespace — they access only your leagues (plus explicit grants) and your webhook endpoints. Any auth failure returns 401 {"error":"unauthorized"}; the API never returns 403 — out-of-scope resources answer 404 exactly like nonexistent ones.

Body

application/json

Every webhook POST body. Headers: X-Whistle-Event (event name), X-Whistle-Delivery (stable across retries — dedupe on it), X-Whistle-Signature (sha256= + HMAC-SHA256 of the raw body using your endpoint secret).

id
string
required

Delivery id.

event
enum<string>
required
Available options:
game.created,
game.updated,
game.cancelled,
game.completed,
position.claimed,
position.released,
payment.paid,
payment.failed,
official.joined,
official.approved,
official.removed,
official.no_show
createdAt
string<date-time>
required
data
object
required

Event-specific payload.

Response

200

Return any 2xx to acknowledge

Last modified on July 10, 2026