figma guide

Designing webhooks and event subscriptions UI in Figma: endpoints, secrets, retries, and delivery logs

Design webhooks and event subscription UI in Figma with endpoint setup, signing secrets, event pickers, delivery logs, retry states, and Dev Mode specs for developer integrations.

Published
Updated
Jul 10, 2026
Read time
8 min
Level
Intermediate

Quick answer

Webhooks push event notifications to a URL your app controls—usually under Developer → Webhooks, Integrations → Event subscriptions, or Organization → Notifications. Design an endpoint list with URL, subscribed events, status (active/paused/failing), and last delivery; a create flow with URL validation, event multi-select, optional filters, and a one-time signing secret; plus a delivery log with HTTP status, payload preview, retry, and disable-on-failure. Pair with API keys for auth to your API, but keep webhook secrets separate. Log deliveries to audit activity when security-relevant. Start from the Figma guides hub and use Dev Mode handoff for payload schema annotations.


Who this is for

  • Product designers building developer settings for SaaS platforms, payment processors, and automation tools.
  • Design system teams distinguishing webhook UI from REST API docs and consumer notification preferences.
  • Engineers implementing HMAC verification, idempotent retries, dead-letter queues, and endpoint health checks.

Webhooks vs polling vs in-app notifications

PatternHow it worksBest forUI home
Webhook (push)Server POSTs to your URL on eventsReal-time sync, automationDeveloper → Webhooks
PollingClient calls API on intervalSimple integrations, no public URLAPI docs only
In-app notificationsBell icon, email, SMSHuman-readable alertsNotification preferences
SSE / WebSocketPersistent connectionLive dashboardsSeparate real-time docs

Verdict: webhooks belong in developer settings, not beside consumer email toggles. Users expect webhook failures to show HTTP status codes and retry actions, not marketing copy.


Endpoint list row anatomy

PartSpecNotes
LabelUser-defined name”Production orders”, “Staging sync”
URLTruncated HTTPS URLMask query params in display
EventsChip summaryorder.created +2 with tooltip
StatusActive / Paused / FailingFailing = N consecutive 4xx/5xx
Last deliveryRelative time + status icon✓ 200 or ✗ 502
ActionsView log, Edit, Pause, DeleteDelete requires confirm
WebhookEndpointRow
├── Variant: status=active | paused | failing | disabled
├── Variant: environment=production | staging
└── Layers:
    ├── StatusDot
    ├── NameLabel
    ├── UrlTruncated
    ├── EventChipGroup
    ├── LastDeliveryMeta
    ├── FailureBanner (conditional)
    └── ActionMenu

Link View delivery log from each row. When an endpoint is auto-disabled after failures, show a banner with Re-enable and link to troubleshooting docs.


Create webhook flow

StepUIValidation
1. NameText inputRequired, 3–64 chars
2. URLHTTPS URL inputMust be HTTPS; block localhost in prod
3. EventsSearchable multi-select by categoryAt least one event
4. Filters (optional)Resource ID, shop, regionProduct-specific
5. Secret revealSigning secret + copyOne-time only
6. Test deliverySend sample payload buttonShows result inline
7. DoneSummary + link to log

Secret reveal screen (same discipline as API token creation):

┌─────────────────────────────────────────────┐
│  Your signing secret                        │
│  Use this to verify webhook signatures.     │
│  ┌─────────────────────────────────────┐    │
│  │ whsec_xxxxxxxxxxxxxxxxxxxxxxxx      │ 📋 │
│  └─────────────────────────────────────┘    │
│  ☐ I have stored this secret securely       │
│  [ Send test event ]  [ Done ]              │
└─────────────────────────────────────────────┘

Offer Send test event before Done so engineers verify the endpoint before going live.


Event picker design

PatternBest for
Grouped checkboxes< 30 events in 5–8 categories
Search + multi-selectLarge event catalog
Preset bundles”All order events”, “All user events”
Subscribe to allEnterprise only; warn on volume
Event categoryExample eventsUI note
Ordersorder.created, order.paidHigh volume badge
Usersuser.updated, user.deletedLink to privacy
Billinginvoice.paid, subscription.canceledSensitive; log to audit
Securitylogin.suspicious, api_key.revokedPair with security activity

Document event names and sample JSON payloads in Dev Mode—engineers implement handlers against exact strings.


Delivery log and retry UI

Column / fieldPurpose
TimestampUTC with local tooltip
Event typeorder.created
HTTP status200, 404, 500, timeout
Durationms to first byte
Attempt1 of 5
ActionsResend, View payload, View response

Delivery detail drawer:

DeliveryDetail
├── SummaryRow (status, event, endpoint)
├── RequestSection
│   ├── Headers (redact Authorization)
│   └── PayloadJson (collapsible, syntax highlight)
├── ResponseSection
│   ├── StatusCode
│   ├── ResponseBody (truncated)
│   └── ResponseHeaders
└── RetryTimeline (attempt 1 → 2 → 3 with backoff)
Delivery stateUI treatment
SuccessGreen check; collapsible by default in list
Pending retryYellow clock; show next retry time
Failed (exhausted)Red; offer manual resend
Endpoint disabledBanner on endpoint row + email to admin

Show exponential backoff in retry timeline: “Retry in 1m, 5m, 30m, 2h, 24h”—designers should spec intervals even if copy is dynamic.


Pause, disable, and failure handling

ActionUXEngineering note
PauseStops new deliveries; queue optionalReversible instantly
Disable after N failuresAuto-pause + emailDefault N = 10–25
Delete endpointConfirm modal; irreversibleIn-flight deliveries may still complete
Rotate secretNew secret; old valid 24hSame grace pattern as API key rotation

Failure banner copy: “This endpoint returned 502 for 12 consecutive deliveries. Webhooks are paused until you fix the URL or re-enable.”

Link to Verify signature docs and IP allowlist if your product supports outbound IP listing for firewall rules.


Empty, error, and edge states

StateCopy / UI
Empty list”No webhooks yet” + Create CTA + link to quickstart
Invalid URL on create”URL must use HTTPS” inline
Test delivery failedShow status + response body snippet
Rate limited”Too many endpoints—contact support or delete unused”
Org policy disabled”Your admin disabled webhooks”

For high-volume products, show estimated events/day when user selects “Subscribe to all”—prevent accidental bill shock or server overload.


Security settings page layout

SectionContents
Header”Webhooks” + docs link
Policy note”Verify signatures on every request”
Create buttonPrimary, top-right
Active endpointsTable or card list
Paused / failingSection with warning styling
Recent deliveriesGlobal feed optional for admins

Place under Developer or Integrations in account dashboard—adjacent to API keys, not inside notification preferences.


Handoff checklist

ItemDev Mode annotation
Signature header namee.g. X-Webhook-Signature
Signature algorithmHMAC-SHA256
Secret formatPrefix + length
Retry scheduleIntervals and max attempts
Idempotency key headerIf supported
Payload schemaLink to OpenAPI or JSON sample per event
TimeoutSeconds before attempt marked failed
IP egress listIf published for allowlisting
a11yStatus icons have text labels; JSON viewer keyboard navigable

For PCI or PII events, annotate which payload fields must be redacted in logs displayed to non-admin users.


Common mistakes

MistakeWhy it hurtsFix
Webhooks mixed with email togglesUsers disable “order emails” and break integrationsSeparate developer page
No test delivery on createBroken URLs discovered in productionInline test step
Showing full secret after setupScreenshot leaksOne-time reveal only
Delivery log without response bodyEngineers can’t debug 400 errorsShow truncated response
No auto-pause on failuresInfinite retry hammers customer serverDisable after N failures
Event names not searchableWrong subscriptionsSearch + categories
Missing manual resendStuck events after fixResend button on failed row
HTTP URLs allowed in prodMITM riskHTTPS-only validation

  1. Inventory events with API team—group for picker UI.
  2. Design endpoint list row with status, events, last delivery.
  3. Build create wizard through secret reveal and test delivery.
  4. Design delivery log with payload/response drawers and retry timeline.
  5. Add pause, auto-disable, and secret rotation flows.
  6. Wire security events to audit log.
  7. Separate from consumer notifications in information architecture.
  8. Prototype failing endpoint and re-enable flow.

FAQ

Webhooks vs API keys—which does my integration need?

API keys let your app call the platform’s API. Webhooks let the platform call your server when something happens. Most integrations need both.

Should we show full payload JSON in the UI?

Yes for admins and developers, with truncation for large payloads. Redact tokens, card numbers, and passwords in displayed JSON.

How long should delivery logs be retained?

Common ranges: 7–30 days for self-serve; longer for enterprise. Show retention policy in log footer.

Support multiple URLs per event type?

Yes—many products allow several endpoints with different event subscriptions. List view should scale to 10–50 endpoints per org.

Webhook signing vs mTLS?

Signing secret is the default UX. mTLS is enterprise-only—separate toggle, not the default create flow.


Next steps

Share on X

§ Keep reading

Related guides.