Webhook subscribers
Push run + finding events to any HTTPS endpoint (Slack, PagerDuty, internal SOC tools). Pro plan and above; quota lives next to scheduled_runs in the catalog.
Key points
- Subscribers are tenant-scoped: a webhook only fires for runs of its owning tenant.
- Every payload is signed with HMAC-SHA256 using the subscriber's per-row secret. Verify before trusting.
- Delivery is retried with exponential backoff (4 attempts over ~15 minutes) before the subscriber is flagged degraded.
- Supported events: run.completed, run.failed, finding.critical, finding.high. Up to 10 events per subscriber.
01
What lands at your endpoint
- POST with JSON body. Headers include X-DID-Event, X-DID-Tenant, X-DID-Signature-256.
- Body shape mirrors the API contract (RunSummary / Finding) — the same schema you query from /v1/runs.
- trace_id propagates so a downstream system can correlate back to the run that triggered the call.
02
Operating recommendations
- Always verify the HMAC before persisting. Drop on mismatch.
- ACK 2xx within 10 seconds. If your handler is slow, queue the work and ACK first.
- Subscribe to finding.critical only if you page on it. Bulk SIEM ingestion is better served by run.completed.