Documentation Index
Fetch the complete documentation index at: https://docs.deck.co/llms.txt
Use this file to discover all available pages before exploring further.
Event destinations
A destination defines where events are delivered. Deck supports multiple destination types so you can receive events wherever your infrastructure already lives.
Supported destination types
| Type | Identifier | Description |
|---|
| Webhook | webhook | HTTP endpoint that receives POST requests with Standard Webhooks signatures |
| AWS SQS | aws_sqs | Amazon Simple Queue Service queue |
| AWS Kinesis | aws_kinesis | Amazon Kinesis Data Stream |
| AWS S3 | aws_s3 | Amazon S3 bucket (events stored as JSON objects) |
| GCP Pub/Sub | gcp_pubsub | Google Cloud Pub/Sub topic |
| Azure Service Bus | azure_servicebus | Azure Service Bus queue or topic |
| RabbitMQ | rabbitmq | AMQP-compatible message broker exchange |
| Hookdeck | hookdeck | Hookdeck Event Gateway for routing, filtering, and transforming events |
Creating a destination
To create a destination, send a POST to /v2/event-destinations with the destination type, a type-specific configuration object keyed by the type name, optional credentials, and the events you want to receive.
POST /v2/event-destinations
{
"name": "Production Webhook",
"type": "webhook",
"webhook": {
"url": "https://your-app.com/webhooks/deck"
},
"events": ["credential.verified", "task_run.completed", "task_run.failed"]
}
"events": ["*"] to subscribe to everything.
Destination configuration reference
Each destination type requires specific configuration fields and credentials.
Webhook
AWS SQS
AWS Kinesis
AWS S3
GCP Pub/Sub
Azure Service Bus
RabbitMQ
Hookdeck
Delivers events as HTTP POST requests to a URL endpoint. Signed using the Standard Webhooks specification.Config| Field | Type | Required | Description |
|---|
webhook.url | string | Yes | The HTTPS endpoint URL |
webhook.custom_headers | string | No | JSON object of additional headers to include on every request |
| Field | Type | Required | Description |
|---|
credentials.secret | string | No | Signing secret (whsec_ prefix). Auto-generated if not provided. |
{
"type": "webhook",
"webhook": {
"url": "https://your-app.com/webhooks/deck"
},
"events": ["*"]
}
Delivers events as messages to an Amazon SQS queue. Event metadata is included as message attributes.Config| Field | Type | Required | Description |
|---|
aws_sqs.queue_url | string | Yes | Full SQS queue URL |
| Field | Type | Required | Description |
|---|
credentials.key | string | Yes | AWS Access Key ID |
credentials.secret | string | Yes | AWS Secret Access Key |
credentials.session | string | No | Session token for temporary credentials |
sqs:SendMessage on the queue resource.{
"type": "aws_sqs",
"aws_sqs": {
"queue_url": "https://sqs.us-east-1.amazonaws.com/123456789012/deck-events"
},
"credentials": {
"key": "AKIAIOSFODNN7EXAMPLE",
"secret": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
},
"events": ["*"]
}
Streams events to an Amazon Kinesis Data Stream. The event ID is used as the default partition key.Config| Field | Type | Required | Description |
|---|
aws_kinesis.stream_name | string | Yes | Kinesis stream name |
aws_kinesis.region | string | Yes | AWS region (e.g., us-east-1) |
| Field | Type | Required | Description |
|---|
credentials.key | string | Yes | AWS Access Key ID |
credentials.secret | string | Yes | AWS Secret Access Key |
credentials.session | string | No | Session token for temporary credentials |
kinesis:PutRecord on the stream resource.{
"type": "aws_kinesis",
"aws_kinesis": {
"stream_name": "deck-events",
"region": "us-east-1"
},
"credentials": {
"key": "AKIAIOSFODNN7EXAMPLE",
"secret": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
},
"events": ["*"]
}
Stores events as JSON objects in an Amazon S3 bucket. Each event becomes a separate object with the key format {timestamp}_{event_id}.json.Config| Field | Type | Required | Description |
|---|
aws_s3.bucket | string | Yes | S3 bucket name |
aws_s3.region | string | Yes | AWS region (e.g., us-east-1) |
aws_s3.storage_class | string | No | S3 storage class. Defaults to STANDARD. |
| Field | Type | Required | Description |
|---|
credentials.key | string | Yes | AWS Access Key ID |
credentials.secret | string | Yes | AWS Secret Access Key |
credentials.session | string | No | Session token for temporary credentials |
s3:PutObject on the bucket resource.Supported storage classes: STANDARD, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, GLACIER_IR, DEEP_ARCHIVE.{
"type": "aws_s3",
"aws_s3": {
"bucket": "deck-events",
"region": "us-east-1"
},
"credentials": {
"key": "AKIAIOSFODNN7EXAMPLE",
"secret": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
},
"events": ["*"]
}
Publishes events to a Google Cloud Pub/Sub topic. Event metadata is included as message attributes.Config| Field | Type | Required | Description |
|---|
gcp_pubsub.project_id | string | Yes | GCP project ID |
gcp_pubsub.topic | string | Yes | Pub/Sub topic name |
| Field | Type | Required | Description |
|---|
credentials.service_account_json | string | Yes | Service account JSON key (stringified) |
roles/pubsub.publisher on the topic.{
"type": "gcp_pubsub",
"gcp_pubsub": {
"project_id": "my-gcp-project",
"topic": "deck-events"
},
"credentials": {
"service_account_json": "{\"type\": \"service_account\", ...}"
},
"events": ["*"]
}
Sends events to an Azure Service Bus queue or topic. Event metadata is included as application properties.Config| Field | Type | Required | Description |
|---|
azure_servicebus.name | string | Yes | Queue or topic name |
| Field | Type | Required | Description |
|---|
credentials.credential_string | string | Yes | Service Bus credential string with Send permission |
{
"type": "azure_servicebus",
"azure_servicebus": {
"name": "deck-events"
},
"credentials": {
"credential_string": "Endpoint=sb://my-namespace.servicebus.windows.net/;SharedAccessKeyName=sender;SharedAccessKey=..."
},
"events": ["*"]
}
Publishes events to a RabbitMQ exchange via AMQP. The event type is used as the routing key. Event metadata is included as message headers.Config| Field | Type | Required | Description |
|---|
rabbitmq.server_url | string | Yes | RabbitMQ host and port (e.g., rabbitmq.example.com:5672) |
rabbitmq.exchange | string | Yes | Exchange name |
rabbitmq.tls | string | No | Enable TLS. Defaults to false. |
| Field | Type | Required | Description |
|---|
credentials.username | string | Yes | RabbitMQ username |
credentials.password | string | Yes | RabbitMQ password |
{
"type": "rabbitmq",
"rabbitmq": {
"server_url": "rabbitmq.example.com:5672",
"exchange": "deck-events"
},
"credentials": {
"username": "deck",
"password": "..."
},
"events": ["*"]
}
Routes events through the Hookdeck Event Gateway for advanced routing, filtering, and transformation before delivery. Routing and delivery settings are managed in the Hookdeck dashboard.Credentials| Field | Type | Required | Description |
|---|
credentials.token | string | Yes | Hookdeck source token |
{
"type": "hookdeck",
"credentials": {
"token": "<HOOKDECK_SOURCE_TOKEN>"
},
"events": ["*"]
}
Verifying webhook signatures
Deck uses the Standard Webhooks specification for webhook signatures. Every delivery includes headers for verification, and a whsec_ signing secret is generated automatically when you create a webhook destination. You can retrieve it from the Console.
| Header | Description |
|---|
webhook-id | Unique event identifier |
webhook-timestamp | Unix timestamp of when the delivery was sent |
webhook-signature | Base64-encoded HMAC-SHA256 signature in v1,<signature> format |
Verification
Use the official Standard Webhooks SDK to verify signatures. SDKs are available for JavaScript, Python, Go, Ruby, Java, Rust, and more.
import { Webhook } from "standardwebhooks";
const wh = new Webhook(process.env.DECK_WEBHOOK_SECRET);
app.post("/webhooks/deck", (req, res) => {
try {
const payload = wh.verify(req.rawBody, req.headers);
await processEvent(payload);
res.status(200).json({ received: true });
} catch (err) {
res.status(401).json({ error: "Invalid signature" });
}
});
Secret rotation
When you rotate your signing secret, Deck keeps the previous secret valid for 24 hours. During this window, verify against both secrets so you can roll over without downtime.
Destination statuses
| Status | Meaning |
|---|
pending_verification | Deck is waiting for a successful response from your endpoint |
active | Receiving deliveries |
inactive | Disabled by you or by repeated delivery failures |
Deliveries
Each delivery is tracked independently. A delivery fails when the destination does not acknowledge within 5 seconds.
Failed deliveries retry up to 3 times with exponential backoff. If all attempts fail, the destination is set to inactive.
Delivery statuses
| Status | Meaning |
|---|
success | Delivered and acknowledged |
failure | All retry attempts exhausted |
Replaying a delivery
To retry a single failed delivery:
POST /v2/event-deliveries/{event_delivery_id}/replay
