Destinations and deliveries

Event destinations

A destination defines where events are delivered. Deck supports multiple destination types so you can receive events wherever your infrastructure already lives.

Supported destination types

Type	Identifier	Description
Webhook	`webhook`	HTTP endpoint that receives `POST` requests with Standard Webhooks signatures
AWS SQS	`aws_sqs`	Amazon Simple Queue Service queue
AWS Kinesis	`aws_kinesis`	Amazon Kinesis Data Stream
AWS S3	`aws_s3`	Amazon S3 bucket (events stored as JSON objects)
GCP Pub/Sub	`gcp_pubsub`	Google Cloud Pub/Sub topic
Azure Service Bus	`azure_servicebus`	Azure Service Bus queue or topic
RabbitMQ	`rabbitmq`	AMQP-compatible message broker exchange
Hookdeck	`hookdeck`	Hookdeck Event Gateway for routing, filtering, and transforming events

Creating a destination

To create a destination, send a POST to /v2/event-destinations with the destination type, its type-specific config and credentials, and the events you want to receive.

POST /v2/event-destinations

{
  "name": "Production Webhook",
  "type": "webhook",
  "config": {
    "url": "https://your-app.com/webhooks/deck"
  },
  "events": ["connection.connected", "task_run.completed", "task_run.failed"]
}

Use "events": ["*"] to subscribe to everything.

Destination configuration reference

Each destination type requires specific configuration fields and credentials.

Delivers events as HTTP POST requests to a URL endpoint. Signed using the Standard Webhooks specification.Config

Field	Type	Required	Description
`config.url`	string	Yes	The HTTPS endpoint URL
`config.custom_headers`	string	No	JSON object of additional headers to include on every request

Credentials

Field	Type	Required	Description
`credentials.secret`	string	No	Signing secret (`whsec_` prefix). Auto-generated if not provided.

{
  "type": "webhook",
  "config": {
    "url": "https://your-app.com/webhooks/deck"
  },
  "events": ["*"]
}

Delivers events as messages to an Amazon SQS queue. Event metadata is included as message attributes.Config

Field	Type	Required	Description
`config.queue_url`	string	Yes	Full SQS queue URL

Credentials

Field	Type	Required	Description
`credentials.key`	string	Yes	AWS Access Key ID
`credentials.secret`	string	Yes	AWS Secret Access Key
`credentials.session`	string	No	Session token for temporary credentials

Required IAM permission: sqs:SendMessage on the queue resource.

{
  "type": "aws_sqs",
  "config": {
    "queue_url": "https://sqs.us-east-1.amazonaws.com/123456789012/deck-events"
  },
  "credentials": {
    "key": "AKIAIOSFODNN7EXAMPLE",
    "secret": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  },
  "events": ["*"]
}

Streams events to an Amazon Kinesis Data Stream. The event ID is used as the default partition key.Config

Field	Type	Required	Description
`config.stream_name`	string	Yes	Kinesis stream name
`config.region`	string	Yes	AWS region (e.g., `us-east-1`)

Credentials

Field	Type	Required	Description
`credentials.key`	string	Yes	AWS Access Key ID
`credentials.secret`	string	Yes	AWS Secret Access Key
`credentials.session`	string	No	Session token for temporary credentials

Required IAM permission: kinesis:PutRecord on the stream resource.

{
  "type": "aws_kinesis",
  "config": {
    "stream_name": "deck-events",
    "region": "us-east-1"
  },
  "credentials": {
    "key": "AKIAIOSFODNN7EXAMPLE",
    "secret": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  },
  "events": ["*"]
}

Stores events as JSON objects in an Amazon S3 bucket. Each event becomes a separate object with the key format {timestamp}_{event_id}.json.Config

Field	Type	Required	Description
`config.bucket`	string	Yes	S3 bucket name
`config.region`	string	Yes	AWS region (e.g., `us-east-1`)
`config.storage_class`	string	No	S3 storage class. Defaults to `STANDARD`.

Credentials

Field	Type	Required	Description
`credentials.key`	string	Yes	AWS Access Key ID
`credentials.secret`	string	Yes	AWS Secret Access Key
`credentials.session`	string	No	Session token for temporary credentials

Required IAM permission: s3:PutObject on the bucket resource.Supported storage classes: STANDARD, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, GLACIER, GLACIER_IR, DEEP_ARCHIVE.

{
  "type": "aws_s3",
  "config": {
    "bucket": "deck-events",
    "region": "us-east-1"
  },
  "credentials": {
    "key": "AKIAIOSFODNN7EXAMPLE",
    "secret": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  },
  "events": ["*"]
}

Publishes events to a Google Cloud Pub/Sub topic. Event metadata is included as message attributes.Config

Field	Type	Required	Description
`config.project_id`	string	Yes	GCP project ID
`config.topic`	string	Yes	Pub/Sub topic name

Credentials

Field	Type	Required	Description
`credentials.service_account_json`	string	Yes	Service account JSON key (stringified)

Required IAM role: roles/pubsub.publisher on the topic.

{
  "type": "gcp_pubsub",
  "config": {
    "project_id": "my-gcp-project",
    "topic": "deck-events"
  },
  "credentials": {
    "service_account_json": "{\"type\": \"service_account\", ...}"
  },
  "events": ["*"]
}

Sends events to an Azure Service Bus queue or topic. Event metadata is included as application properties.Config

Field	Type	Required	Description
`config.name`	string	Yes	Queue or topic name

Credentials

Field	Type	Required	Description
`credentials.connection_string`	string	Yes	Service Bus connection string with `Send` permission

{
  "type": "azure_servicebus",
  "config": {
    "name": "deck-events"
  },
  "credentials": {
    "connection_string": "Endpoint=sb://my-namespace.servicebus.windows.net/;SharedAccessKeyName=sender;SharedAccessKey=..."
  },
  "events": ["*"]
}

Publishes events to a RabbitMQ exchange via AMQP. The event type is used as the routing key. Event metadata is included as message headers.Config

Field	Type	Required	Description
`config.server_url`	string	Yes	RabbitMQ host and port (e.g., `rabbitmq.example.com:5672`)
`config.exchange`	string	Yes	Exchange name
`config.tls`	string	No	Enable TLS. Defaults to `false`.

Credentials

Field	Type	Required	Description
`credentials.username`	string	Yes	RabbitMQ username
`credentials.password`	string	Yes	RabbitMQ password

The exchange must already exist. Deck publishes messages with the event type as the routing key, so you can bind queues using topic patterns.

{
  "type": "rabbitmq",
  "config": {
    "server_url": "rabbitmq.example.com:5672",
    "exchange": "deck-events"
  },
  "credentials": {
    "username": "deck",
    "password": "..."
  },
  "events": ["*"]
}

Routes events through the Hookdeck Event Gateway for advanced routing, filtering, and transformation before delivery. Routing and delivery settings are managed in the Hookdeck dashboard.Credentials

Field	Type	Required	Description
`credentials.token`	string	Yes	Hookdeck source token

{
  "type": "hookdeck",
  "credentials": {
    "token": "<HOOKDECK_SOURCE_TOKEN>"
  },
  "events": ["*"]
}

Verifying webhook signatures

Deck uses the Standard Webhooks specification for webhook signatures. Every delivery includes headers for verification, and a whsec_ signing secret is generated automatically when you create a webhook destination. You can retrieve it from the Dashboard.

Headers sent with each delivery

Header	Description
`webhook-id`	Unique event identifier
`webhook-timestamp`	Unix timestamp of when the delivery was sent
`webhook-signature`	Base64-encoded HMAC-SHA256 signature in `v1,<signature>` format

Verification

Use the official Standard Webhooks SDK to verify signatures. SDKs are available for JavaScript, Python, Go, Ruby, Java, Rust, and more.

import { Webhook } from "standardwebhooks";

const wh = new Webhook(process.env.DECK_WEBHOOK_SECRET);

app.post("/webhooks/deck", (req, res) => {
  try {
    const payload = wh.verify(req.rawBody, req.headers);
    await processEvent(payload);
    res.status(200).json({ received: true });
  } catch (err) {
    res.status(401).json({ error: "Invalid signature" });
  }
});

Secret rotation

When you rotate your signing secret, Deck keeps the previous secret valid for 24 hours. During this window, verify against both secrets so you can roll over without downtime.

Destination statuses

Status	Meaning
`pending_verification`	Deck is waiting for a successful response from your endpoint
`active`	Receiving deliveries
`inactive`	Disabled by you or by repeated delivery failures

Deliveries

Each delivery is tracked independently. A delivery fails when the destination does not acknowledge within 5 seconds. Failed deliveries retry up to 3 times with exponential backoff. If all attempts fail, the destination is set to inactive.

Delivery statuses

Status	Meaning
`success`	Delivered and acknowledged
`failure`	All retry attempts exhausted
`skipped`	Destination was `inactive` at time of send

Replaying a delivery

To retry a single failed delivery:

POST /v2/event-deliveries/{event_delivery_id}/replay

Get Started

Guides

Development

Platform

Migration Guides

Destinations and deliveries

Event destinations

Supported destination types

Creating a destination

Destination configuration reference

Verifying webhook signatures

Headers sent with each delivery

Verification

Secret rotation

Destination statuses

Deliveries

Delivery statuses

Replaying a delivery

Get Started

Guides

Development

Platform

Migration Guides

​Event destinations

​Supported destination types

​Creating a destination

​Destination configuration reference

​Verifying webhook signatures

​Headers sent with each delivery

​Verification

​Secret rotation

​Destination statuses

​Deliveries

​Delivery statuses

​Replaying a delivery

Event destinations

Supported destination types

Creating a destination

Destination configuration reference

Verifying webhook signatures

Headers sent with each delivery

Verification

Secret rotation

Destination statuses

Deliveries

Delivery statuses

Replaying a delivery