> ## Documentation Index
> Fetch the complete documentation index at: https://docs.totalis.trade/llms.txt
> Use this file to discover all available pages before exploring further.

# Set Webhook Config

> Set the endpoint URL and subscribed events.



## OpenAPI

````yaml PUT /v1/webhooks
openapi: 3.0.3
info:
  title: Totalis RFQ API
  version: 2.1.0
  description: >-
    Public REST surface for the Totalis parlay RFQ platform — a decentralized
    request-for-quote marketplace for parlay bets across Kalshi and Polymarket,
    with on-chain Solana vault settlement.


    **Wire format**: snake_case JSON. All successful responses are wrapped in `{
    "data": ... }`; list endpoints add `meta` with cursor-based pagination.
    Errors use a `{ "error": { code, message, details? } }` envelope.


    **Authentication**: programmatic clients send `X-API-Key`; the web dashboard
    uses Privy JWTs (`Authorization: Bearer ...`). Any authenticated user can
    both place parlays and quote as a market maker — there is no separate MM
    role. Admin endpoints are out of scope for this public reference.


    **Rate limiting**: 100 req/min anonymous, 300 req/min authenticated.
    Responses include `X-RateLimit-*` headers. Request body limit: 256KB.


    **Pagination**: list endpoints use opaque cursor pagination. Pass
    `meta.cursor` from the previous response as `?cursor=...` to fetch the next
    page; do not parse or construct cursors client-side.
servers:
  - url: https://api.totalis.trade
    description: Production
security:
  - ApiKey: []
tags:
  - name: Markets
    description: Cached Kalshi and Polymarket market data.
  - name: User
    description: User profile, wallet, and devnet helpers.
  - name: API Keys
    description: Manage programmatic access keys for the authenticated user.
paths:
  /v1/webhooks:
    put:
      tags:
        - Webhooks
      summary: Set webhook config
      description: >-
        Replace the endpoint URL and subscribed events. Preserves the signing
        secret. A fresh endpoint is undeliverable until a secret is set (see
        rotate-secret).
      operationId: setWebhookConfig
      parameters:
        - name: owner_kind
          in: query
          description: 'Which endpoint to address: `user` (default) or `mm` (market-maker).'
          schema:
            type: string
            enum:
              - user
              - mm
            default: user
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/WebhookConfigInput'
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    $ref: '#/components/schemas/WebhookConfig'
        '400':
          $ref: '#/components/responses/BadRequest'
      security:
        - PrivyJWT: []
        - ApiKey: []
components:
  schemas:
    WebhookConfigInput:
      type: object
      required:
        - url
        - events
      properties:
        url:
          type: string
          description: HTTPS endpoint. Must not resolve to private/internal infrastructure.
        events:
          type: array
          items:
            type: string
          description: >-
            Event names to subscribe to (subset of the catalog). Empty parks the
            endpoint.
    WebhookConfig:
      type: object
      properties:
        owner_kind:
          type: string
          enum:
            - user
            - mm
        url:
          type: string
          nullable: true
          description: Configured HTTPS endpoint, or null if never set.
        events:
          type: array
          items:
            type: string
          description: Subscribed event names.
        status:
          type: string
          nullable: true
          description: Endpoint status, or null if never configured.
        has_signing_secret:
          type: boolean
          description: Whether a signing secret is set (deliveries require one).
        event_catalog:
          type: array
          items:
            type: string
          description: The events this endpoint kind may subscribe to. (GET only.)
    ErrorEnvelope:
      type: object
      required:
        - error
      properties:
        error:
          $ref: '#/components/schemas/ErrorBody'
    ErrorBody:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          enum:
            - VALIDATION_ERROR
            - UNAUTHORIZED
            - FORBIDDEN
            - NOT_FOUND
            - CONFLICT
            - RATE_LIMITED
            - PAYLOAD_TOO_LARGE
            - INTERNAL_ERROR
            - SERVICE_UNAVAILABLE
          description: Machine-readable error code.
        message:
          type: string
          description: Human-readable error message.
        details:
          type: object
          description: Additional error context.
        retry_after:
          type: integer
          nullable: true
          description: Seconds until retry; set on 429 responses.
  responses:
    BadRequest:
      description: Validation error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  securitySchemes:
    ApiKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: >-
        Programmatic API key. Sent as `X-API-Key: <key>`. Generate one from the
        Totalis dashboard. The same header is accepted on the WebSocket auth
        message.
    PrivyJWT:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        Privy JWT issued to the web dashboard. Sent as `Authorization: Bearer
        <jwt>`. The Privy session signer underpins all wallet-signed actions.

````