Webhooks
Register outbound webhook endpoints that receive HMAC-signed event deliveries whenever something interesting happens in your organization. The admin page handles endpoint CRUD; the detailed delivery contract — event catalog, signature verification, retry schedule — lives at API → Webhooks.
Where this lives
Sidebar → Webhooks under the Integrations section, at /organization/webhooks.
Creating an endpoint
Click + Add endpoint. The dialog asks for:
- URL — the public HTTPS URL that will receive deliveries. Tunnels (cloudflared, ngrok) work fine for local development.
- Description (optional) — short note, e.g. "Slack #appsec notifier" or "Jira ticket creator".
- Events — which event types to subscribe to. The four shipping events today are
assignment.created,assignment.completed,sarif.ingested, andcertificate.issued.
On submit the dialog displays the signing secret (whsec_…) once. Copy it to your secrets manager immediately. You need it to verify every incoming delivery; see API → Webhooks for verification code in Node, Python, and Go.
Listing endpoints
The list view shows every webhook endpoint for your organization. Each row carries the URL, the subscribed events, the creator, and a live health indicator:
| Status | Meaning |
|---|---|
| Healthy | Last delivery returned a 2xx response. |
| Failing | Last delivery returned a non-2xx response or timed out, but the endpoint is still being retried. |
| Pending | The endpoint exists but has not yet received its first delivery. |
| Disabled | The endpoint exhausted the retry schedule on a recent delivery and was automatically disabled. The last delivery timestamp is preserved so you can see when it failed. |
Editing and deleting
Click Edit to update the URL, the description, or the event subscription list. Switching the Active toggle off pauses delivery without deleting the endpoint; switching it back on resumes delivery and clears the auto-disabled state. Click Delete to remove the endpoint entirely — pending deliveries to it are cancelled and the row is dropped from the list.
Inspecting recent deliveries
The ⟳ Deliveries button on each row opens a drawer listing the most recent 50 delivery attempts for that endpoint. Each entry shows the event type, the event id, the current status (pending / delivered / failed / exhausted), the attempt count, the HTTP status code returned by your endpoint, any error message, and the timestamps.
Use this view to debug a misbehaving consumer without having to instrument your own receiver — if the receiver is returning a 5xx, the message you see here is the same message your application logged.
Retry and auto-disable
Failed deliveries retry on a 1m → 5m → 30m → 2h schedule for up to five total attempts. After the fifth failure the endpoint is auto-disabled and the last delivery is marked exhausted. To re-enable, fix the receiver, then either click Active in the Edit dialog or send the API PATCH /api/sch/org/webhooks/{id} with {"isActive": true}.
Programmatic access
Every action on this page is also reachable from the public API — see API → Webhooks for the CRUD surface and the delivery contract.