Webhook payloads and secrets

This is the full reference for the TradingView webhook endpoint — covering two authentication methods (body secret and HMAC header), the five payload fields, deduplication behaviour, a rate limit of 30 signals per 60 seconds, and all response codes.

Endpoint

POST /api/webhooks/tradingview/:strategyId

strategyId is the strategy's database ID, visible in the webhook URL shown on the strategy detail page.

How is the webhook authenticated?

Two methods are accepted:

Body secret (recommended for TradingView): Include a secret field in the JSON body. Coinrule compares it to the stored secret using a constant-time comparison.

{
  "secret": "<your-strategy-secret>",
  "side": "buy"
}

HMAC header (for custom integrations): Compute HMAC-SHA256(raw_body, secret) and send as the X-Coinrule-Signature header. The body does not need a secret field.

What fields does the payload accept?

How does deduplication work?

If you include an id field, the endpoint deduplicates signals using that value — a second request with the same id within 24 hours is silently ignored (returns 200 OK but no trade). If no id is provided, a SHA-256 hash of the request body is used as the dedup key.

What is the rate limit?

30 signals per 60 seconds per strategy. Exceeding this returns HTTP 429.

Credit cost

Each accepted signal costs 1 credit (third-party driver). Signals rejected due to rate limiting or deduplication are not charged.

What do the response codes mean?

How do I manage webhook secrets?

On the strategy detail page → TradingView panel:

• Generate — create a new secret (only if none exists)
• Rotate — replace the current secret with a new one; old secret is immediately invalid
• Delete — remove the secret and disable webhook reception for this strategy