Webhooks
Subscribe a URL and we POST every verified-capper pick to it. HMAC-SHA256 signed. Free. No signup, no API key. Your secret is the auth.
Subscribe
curl -X POST https://nuropicks.com/api/webhooks \
-H 'Content-Type: application/json' \
-d '{
"owner_email": "[email protected]",
"target_url": "https://your-server.com/np-webhook",
"capper_handle": "sharpsam",
"sport": "nba"
}'Both capper_handle and sport are optional filters. Omit both to get every pick. Response includes a 64-char hex secret. Save it. We never expose it again.
Event payload
POST https://your-server.com/np-webhook
Content-Type: application/json
X-NuroPicks-Event: pick.posted
X-NuroPicks-Signature: sha256=<hmac>
{
"event": "pick.posted",
"webhook_id": "42",
"delivered_at": "2026-04-29T17:14:30Z",
"pick": {
"pickUuid": "0d4e...c8a1",
"capperHandle": "sharpsam",
"capperTier": "verified_sharp",
"sport": "nba",
"game": "Lakers @ Nuggets",
"market": "spread",
"pick": "Lakers +5.5",
"oddsAmerican": -110,
"oddsDecimal": 1.91,
"stakeUnits": 1.0,
"postedAt": "2026-04-29T17:14:25Z",
"verifyUrl": "https://nuropicks.com/p/0d4e...c8a1"
}
}Settled-event payload
When a pending pick grades to win / loss / push / void, you get a second event for the same pickUuid. Read the X-NuroPicks-Event header to route.
POST https://your-server.com/np-webhook
Content-Type: application/json
X-NuroPicks-Event: pick.settled
X-NuroPicks-Signature: sha256=<hmac>
{
"event": "pick.settled",
"webhook_id": "42",
"delivered_at": "2026-04-29T22:14:30Z",
"pick": {
"pickUuid": "0d4e...c8a1",
"capperHandle": "sharpsam",
"capperTier": "verified_sharp",
"sport": "nba",
"game": "Lakers @ Nuggets",
"market": "spread",
"pick": "Lakers +5.5",
"oddsAmerican": -110,
"oddsDecimal": 1.91,
"stakeUnits": 1.0,
"postedAt": "2026-04-29T17:14:25Z",
"verifyUrl": "https://nuropicks.com/p/0d4e...c8a1"
},
"settlement": {
"result": "win",
"settledAt": "2026-04-29T22:14:25Z",
"closingOddsAmerican": -105
}
}Verify the signature
Compute HMAC-SHA256(raw_body, your_secret) and constant-time-compare against the X-NuroPicks-Signature header (strip the sha256= prefix).
# node.js
const crypto = require('crypto');
function verify(body, secret, header) {
const expected = 'sha256=' +
crypto.createHmac('sha256', secret).update(body).digest('hex');
return crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(header));
}
# python
import hmac, hashlib
def verify(body: bytes, secret: str, header: str) -> bool:
expected = 'sha256=' + hmac.new(
secret.encode(), body, hashlib.sha256
).hexdigest()
return hmac.compare_digest(expected, header)Failure handling
We retry the same pick on the next fanout cycle (every 60s) when your server returns non-2xx. After 5 consecutive failures, the subscription auto-disables. Re-subscribe by POSTing again.
Revoke a subscription
curl -X DELETE https://nuropicks.com/api/webhooks/42 \ -H 'X-Webhook-Secret: <your-saved-secret>'
List your subscriptions
curl 'https://nuropicks.com/api/[email protected]'
Returns metadata for every webhook owned by that email, but not the secret.
Notes
- Only
https://targets accepted. Private/internal hosts rejected. - Subscribe rate limit: 5 per hour per IP.
- Per-webhook fanout cap: 50 picks per cycle (enough for 50 picks/min sustained).
- Two event types fire on the same subscription:
pick.postedandpick.settled. Route on theX-NuroPicks-Eventheader. - Discord channel webhooks auto-detected. If your
target_urlhost isdiscord.com/discordapp.com, fanout posts embed-shaped JSON instead of the raw envelope. No HMAC headers (Discord rejects them); the URL itself is the secret. - 21+. NuroPicks tracks bets you log; we don't place them.
Must be 21+. Gambling problem? Call 1-800-GAMBLER. NJ/PA: 1-800-GAMBLER · MI: 1-800-270-7117 · VA: 1-888-532-3500 · CO: 1-800-522-4700 · NY: 877-846-7369 (HOPENY).
NuroPicks LLC · 30 N Gould St Ste R, Sheridan, WY 82801