Webhook API documentation + announcement blog + changelog

[atharvadeosthale]

PR changes webhooks pages, make it more informative, adds announcement blog, and changelog.

[greptile-apps]

Greptile Summary

This PR adds programmatic webhook management via Server SDKs, backed by new webhooks.read/webhooks.write API key scopes. It expands the webhooks docs page with multicode SDK examples for create/update/delete, updates the verification section with timing-safe comparisons in most languages, and ships a matching announcement blog post and changelog entry.

• The Swift verification snippet still uses elementsEqual(_:by:) with a short-circuiting predicate, leaving a timing side-channel that the prior-round fix did not fully close (see inline comment).
• The Java create snippet includes an enabled positional argument that the equivalent Kotlin snippet omits; one of the two is likely wrong.

Confidence Score: 4/5

Safe to merge after the Swift verification snippet is corrected; the timing vulnerability would be copied verbatim by Swift developers.

One P1 security finding remains — the Swift elementsEqual comparison is not constant-time, undoing the timing-attack protection that was explicitly added in the previous commit. All other languages are correctly fixed. A P2 discrepancy between the Java and Kotlin enabled parameter should also be verified.

src/routes/docs/advanced/platform/webhooks/+page.markdoc (Swift verification snippet lines 938–941; Java create snippet lines 206–220)

Security Review

• Timing side-channel (Swift verification snippet) — String.UTF8View.elementsEqual(_:by:) short-circuits on the first mismatched byte, leaking signature comparison position via response time. All other language snippets now use constant-time primitives (crypto.timingSafeEqual, hmac.compare_digest, hash_equals, OpenSSL.secure_compare, subtle.ConstantTimeCompare, CryptographicOperations.FixedTimeEquals, ct_eq) after the previous review cycle, but the Swift case remains vulnerable.

Important Files Changed

Filename	Overview
src/routes/docs/advanced/platform/webhooks/+page.markdoc	Major expansion with SDK examples for create/update/delete, and updated verification snippets — Swift verification uses elementsEqual which short-circuits and is not constant-time; Java create has an extra enabled param not present in the Kotlin equivalent.
src/routes/blog/post/announcing-webhooks-api/+page.markdoc	New announcement blog post for the Webhooks API; content is clear and consistent with the docs page examples.
src/routes/changelog/(entries)/2026-04-10.markdoc	New changelog entry describing the Webhooks API launch; concise and correct.
src/routes/docs/advanced/platform/api-keys/+page.markdoc	Adds webhooks.read and webhooks.write rows to the scopes table; straightforward and correct.

_{Reviews (4): Last reviewed commit: "using import for server node" | Re-trigger Greptile}

[Meldiron]

Lets switch to modern import statement, import { Client, Webhooks } from 'node-appwrite';

[Meldiron]

Worth mentioning SDK version in which it was added

[Meldiron]

Maybe command to upgrade too

[Meldiron]

Maybe link to SDK changelogs as well

[Meldiron]

Might be worth having some more examples:

• showcase of ability to set httpUser and httpPass
• showcase ability to list webhooks (filter, paginate, maybe)
• Ability to rotate signature key

[Meldiron]

Might be worth mentioning all runtimes we have SDKs for, so they know they can use all of that

[Meldiron]

Considering CI/CD use case, it might be smart to have some CLI examples too