# Create webhook endpoint

Create a new webhook for the sponsor.

Only one webhook is allowed per sponsor. The secret is returned only on creation.
Store it securely - it cannot be retrieved later.

The secret is used to generate HMAC-SHA256 signatures for webhook payloads.

You can optionally specify which events to subscribe to. If not provided, the webhook
will receive all available event types.

Endpoint: POST /webhooks
Version: 1.0.0
Security: APIKeyHeader

## Request fields (application/json):

  - `url` (string, required)
    Webhook endpoint URL (must be HTTPS in production)
    Example: "https://api.example.com/webhooks/pdp"

  - `events` (any)
    List of event types to subscribe to. If not provided, subscribes to all events.
    Example: ["invoice.created"]

## Response 201 fields (application/json):

  - `webhook_id` (string, required)
    Unique webhook identifier
    Example: "webhook_abc123def456"

  - `url` (string, required)
    Webhook endpoint URL
    Example: "https://api.example.com/webhooks/pdp"

  - `secret` (string, required)
    HMAC secret key (only returned once!)
    Example: "a1b2c3d4...64char_hex_secret"

  - `events` (array, required)
    Subscribed event types
    Example: ["invoice.created"]

  - `created_at` (string, required)
    Creation timestamp

  - `message` (string)
    Success message

## Response 409 fields (application/json):

  - `error` (string, required)

  - `code` (integer, required)

  - `trace_id` (string, required)

## Response 422 fields (application/json):

  - `detail` (array)

  - `detail.loc` (array, required)

  - `detail.msg` (string, required)

  - `detail.type` (string, required)