API & Webhooks
Belvak has a REST API and signed webhooks so you can build on top of your workspace or connect it to automation tools. Use the API to read and write your records, and use webhooks to be told the moment something changes, instead of checking on a schedule.
If all you want is a message in Slack or your books in QuickBooks, you may not need the API at all. Belvak already sends notifications to Slack and syncs your books with QuickBooks without any code. The API is for everything beyond those built-in connections. The full technical reference, with every field and event, lives on the developer reference page.
Creating and managing API keys
An API key is what lets a script or an automation tool act as your workspace. API access is a Professional plan feature, so keys are available once your workspace is on Professional.
Where to find API keys
Open Settings, go to the Integrations tab, and find the API & Webhooks panel. Your keys and webhooks are both managed there.
Creating an API key
- In the API & Webhooks panel, choose Create key.
- Give it a label that says where it will be used, for example "Zapier" or "Reporting script".
- Copy the key that appears and store it somewhere safe.
The key is shown once
Copy it now. The full key is shown a single time, right after you create it. Belvak never shows it again. If you lose it, rotate the key to get a new one.
Rotating and revoking a key
You can rotate or revoke a key at any time from the same panel. Both take effect immediately: a revoked or rotated key stops working on its very next request, so if a key is ever exposed you can shut it off at once. Rotating gives you a fresh key to paste into your tool while the old one dies.
Who can manage keys
Only an admin can create, rotate, or revoke keys, so managing them needs the workspace settings permission. Keys belong to the whole workspace rather than to one person, and removing or changing the role of the person who made a key does not switch the key off. If someone leaves, rotate the keys they set up. You can review roles in the roles and permissions guide.
Authenticating requests
The bearer header
Send your key on every request as a bearer token in the Authorization header:
Authorization: Bearer bv_live_...
Testing your connection
The quickest way to check a key works is to call the connection-test endpoint. It returns your workspace name, your plan, and details about the key. If it comes back with your workspace, the key is good.
GET https://app.belvak.com/api/v1/me
Ids match what you see in Belvak
Every id in the API is the same reference number you see in your workspace, the one shown as #N on a record. Related records are linked by these numbers too, for example an invoice carries the project_id of the project it belongs to.
Registering webhooks
A webhook is a URL that Belvak posts to whenever something you care about happens. You can register one from Settings or over the API.
Adding a webhook in Settings
- In the API & Webhooks panel, choose Add webhook.
- Paste the URL that should receive the events (from Zapier, Make, n8n, Pipedream, or your own server).
- Pick the events you want, or subscribe to all of them.
- Save, then copy the signing secret that appears.
Registering a webhook with the API
You can also create, list, update, and remove webhooks through the API instead of the settings screen. See the developer reference for the exact calls.
The signing secret is shown once
Copy the secret now. Like an API key, a webhook's signing secret is shown a single time when you create it. You use it to check that deliveries really came from Belvak. If you lose it, rotate the secret to get a new one.
Choosing events
A webhook can listen for specific events or for everything. Start narrow, with just the events your workflow needs, and add more later. You can change the events, the URL, or disable a webhook whenever you like.
Verifying webhook signatures
Every delivery is signed with your webhook's secret, so your receiver can confirm it came from Belvak and was not tampered with. Automation tools like Zapier handle the delivery for you, but if you receive webhooks on your own server, verify the signature.
The signature header
Each delivery carries a Belvak-Signature header with a timestamp and a signature:
Belvak-Signature: t=1750000000,v1=<hex>
How to verify a delivery
- Read the timestamp
tand the exact raw body of the request, before any parsing. - Join them with a dot to make the string
{t}.{rawBody}. - Compute an
HMAC-SHA256of that string using your webhook secret. - Compare your result to the
v1value using a constant-time comparison. - Reject the delivery if the timestamp is more than five minutes away from your own clock, which stops replays.
Always verify against the raw body exactly as received. Parsing the JSON and rebuilding it changes the bytes and breaks the signature.
A worked example
With these fixed inputs you should get exactly the signature below. Use it to confirm your verification code before going live:
secret whsec_test_secret
timestamp 1750000000
raw body {"event":"invoice.created"}
signed string:
1750000000.{"event":"invoice.created"}
HMAC-SHA256 (hex):
0556c1c4f94574349f40d02a3d8038ddf20d741c66fe42de885f695ff11fef86Connecting Zapier
There is no Belvak app in the Zapier directory yet. You connect the two using Zapier's own building blocks: Webhooks by Zapier to start a Zap from a Belvak event, and API by Zapier to read or write your Belvak data. The dedicated Zapier integration page walks through the same setup with screenshots.
Triggering a Zap from a Belvak event
- In Zapier, start a Zap and choose Webhooks by Zapier as the trigger, then Catch Hook.
- Zapier gives you a custom webhook URL. Copy it.
- In Belvak, add a webhook and paste that URL, then choose which events should fire the Zap.
- Send a test event so Zapier can see the shape of the data, then finish building your Zap.
Reading and writing Belvak from a Zap
- Add an API by Zapier action step.
- Point it at the Belvak endpoint you need, for example to create a client or raise an invoice.
- Add your API key as an
Authorizationheader,Bearer bv_live_.... - Map fields from your trigger into the request, and test the step.
Keeping your API key private
Save your key as a stored Authorization header on the API by Zapier step, where other people editing the Zap cannot read it. The Custom Request action works too, but anything you type into it is visible to everyone who can edit that Zap, so prefer the stored header. You can always rotate the key from Settings if you need to.
Which plan you need
On the Belvak side, API keys and webhooks are a Professional plan feature. On the Zapier side, the Webhooks by Zapier and API by Zapier steps are part of Zapier's own paid plans, so you will need a Zapier plan that includes them.
Connecting Make, n8n, and Pipedream
Any tool that can receive a webhook and make an HTTP request can work with Belvak today. The pattern is always the same: use the tool's webhook trigger to catch Belvak events, and its HTTP request step to call the Belvak API with your key. Here is how that looks in three popular tools.
Make
- Add a Webhooks module and choose Custom webhook as the trigger. Make gives you a URL.
- Register that URL as a Belvak webhook and pick your events.
- To write back, add an HTTP module, Make a request, pointed at the Belvak endpoint with an
Authorization: Bearerheader.
n8n
- Add a Webhook trigger node and copy its production URL.
- Register that URL as a Belvak webhook and pick your events.
- To write back, add an HTTP Request node with header authentication, sending
Authorization: Bearer bv_live_...to the Belvak endpoint.
Pipedream
- Start a workflow with an HTTP / Webhook trigger and copy the endpoint URL.
- Register that URL as a Belvak webhook and pick your events.
- To write back, add an HTTP request step and send your Belvak call with an
Authorization: Bearerheader.
Tip: Keep your API key in the tool's own credential or secret store rather than typing it into a step directly, so teammates who can edit the workflow do not see it.
Webhook events reference
The 33 events
There are 33 events in total: a created, updated, and deleted event for each of the eleven record types you can work with:
- client, project, invoice, payment, proposal
- supplier, purchase, employee, maintenance
- referral, note
So the event names read like invoice.created, payment.created, or client.updated. These mirror the same changes your notifications and activity log already track.
What each delivery contains
Deliveries are deliberately small. Each one tells you the event name, when it happened, the workspace it came from, and the public id of the record, plus, for most events, a link to read the full record from the API. Deleted events and note events do not carry that link: a deleted record is gone, and notes are read as a list on their parent record. You hydrate the details with a normal API call when you need them. One thing to know: when an invoice's status flips because a payment arrived, that does not send an invoice.updated event. Read the invoice again after the payment.created event instead.
Duplicates and tombstones
Belvak aims to deliver every event at least once, which means a delivery can occasionally arrive more than once. Each delivery carries a unique id in the Belvak-Delivery header, so treat that id as seen and ignore repeats. If a delivery fails, Belvak retries it automatically with a growing delay, and a webhook that keeps failing is switched off for you until you fix and re-enable it.
A deleted event is a tombstone: it carries the public id of the record that was removed so you can mirror the deletion, but it has no link to read the record back, because it is gone.
Tip: Make your handler idempotent. Because the same change can produce a repeat delivery, acting on an event more than once should be harmless. Dedupe on the delivery id and you are covered.
Related Articles
Notifications
Stay on top of what needs your attention with the notification bell, the notification center, and self-updating reminders.
Invoicing & Payments
Master invoicing, tax and VAT, recurring invoice approvals, payment tracking, and template customization.
Account & Settings
Configure roles, permissions, currencies, taxes, and system-wide preferences.
Getting Started
Everything you need to sign in, set up your workspace, invite your team, and create your first records.