GET /v1/meta/webhook-ips — IP allowlist hint for webhook subscribers.

Pattern lifted from Linear (6 static IPs page) and GitHub (GET /meta with hooks field). Subscribers behind enterprise firewalls need to know which source IPs to trust; without this they either disable signature-based trust or refuse our deliveries.

Source of truth is the PEGANA_WEBHOOK_EGRESS_IPS env var (comma-separated). Default falls back to the Hetzner production box’s static IP. When we add a second box, set the env to 49.12.240.164,<new-ip> — no code change required.

GET

Response

200 - application/json

Webhook egress IP allowlist

ips

string[]

required

IPv4 / IPv6 addresses Pegana POSTs from when delivering webhooks. Subscribers running zero-trust ingress can allowlist these.

recheck_after

string<date-time>

required

Hint to refresh this list weekly — IPs can change without notice during infrastructure migrations.

GET /v1/meta/webhook-keys — active Ed25519 public keys for verifying inbound webhook signatures.Lifted from the GitHub pattern (`GET /meta` with `ssh_keys`). During key rotation we publish BOTH the outgoing primary AND the incoming secondary here, so receivers can pre-trust the new key before we cut over. See `pegana_common::webhook_sign` for the full rotation playbook.

⌘I

GET /v1/meta/webhook-ips — IP allowlist hint for webhook subscribers.

curl --request GET \
  --url https://api.pegana.xyz/v1/meta/webhook-ips

{
  "ips": [
    "<string>"
  ],
  "recheck_after": "2023-11-07T05:31:56Z"
}