Register a new outbound webhook subscription. The server generates the signing secret — the raw secret is returned exactly once in this response and is never stored in plaintext.

Your API key must have the scopes required for each subscribed event:

• employee.created / employee.updated → read:employees
• punch.created / punch.updated → read:punches

Required scope: webhooks