{
"id": "<string>",
"createdAt": "2023-11-07T05:31:56Z",
"data": {
"leagueId": "<string>",
"userId": "<string>"
}
}An official was removed from a league
Guaranteed fields: leagueId, userId. In-app removals add membershipId.
{
"id": "<string>",
"createdAt": "2023-11-07T05:31:56Z",
"data": {
"leagueId": "<string>",
"userId": "<string>"
}
}Authorizations
Partner API key: Authorization: Bearer whk_…. Keys are issued by the Whistle team (email tommy@huddleup-sports.com), shown once at issuance, and bound to your source namespace — they access only your leagues (plus explicit grants) and your webhook endpoints. Any auth failure returns 401 {"error":"unauthorized"}; the API never returns 403 — out-of-scope resources answer 404 exactly like nonexistent ones.
Body
Every webhook POST body. Headers: X-Whistle-Event (event name), X-Whistle-Delivery (stable across retries — dedupe on it), X-Whistle-Signature (sha256= + HMAC-SHA256 of the raw body using your endpoint secret).
Delivery id.
game.created, game.updated, game.cancelled, game.completed, position.claimed, position.released, payment.paid, payment.failed, official.joined, official.approved, official.removed, official.no_show Event-specific payload.
Show child attributes
Show child attributes
Response
Return any 2xx to acknowledge

