ChangeVault
API Reference

Outgoing webhooks

Receive signed HTTP POST requests when changes are created, updated or deleted.

Outgoing webhooks let ChangeVault push events to any external system in real time — incident management tools, custom dashboards, chat bots and more.

See Notifications → Outgoing webhooks for setup instructions.

Payload format

Every delivery is a POST request with a JSON body:

{
  "event": "change.created",
  "timestamp": "2025-04-07T10:00:00.000Z",
  "data": {
    "id": "uuid",
    "title": "Deployed api-service v3.1.0",
    "risk_level": "medium",
    "status": "completed",
    "organization_id": "org_...",
    "service": { "id": "uuid", "name": "api-service" },
    "host_ref": { "id": "uuid", "hostname": "web-01" },
    "tags": ["deploy", "prod"],
    "created_at": "2025-04-07T10:00:00Z"
  }
}

Events

EventTrigger
change.createdA new change is logged
change.updatedAn existing change is updated
change.deletedA change is deleted

Request headers

HeaderDescription
Content-Typeapplication/json
X-ChangeVault-EventThe event name (e.g. change.created)
X-ChangeVault-TimestampUnix timestamp in milliseconds
X-ChangeVault-SignatureHMAC-SHA256 signature (see below)

Verifying signatures

Each delivery is signed with your webhook's secret using HMAC-SHA256. Verify the signature to confirm the request came from ChangeVault.

The signed payload is: {timestamp}.{raw JSON body}

import crypto from "crypto";

function verifySignature(
  secret: string,
  rawBody: string,
  timestamp: string,
  signature: string
): boolean {
  const payload = `${timestamp}.${rawBody}`;
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signature)
  );
}

Always verify the signature before processing a webhook. Reject requests with invalid or missing signatures.

Retries

ChangeVault does not automatically retry failed deliveries. Use the Test button in the dashboard to re-send a test payload at any time.

Timeouts

Deliveries time out after 10 seconds. Ensure your endpoint responds quickly — offload heavy processing to a background job.

On this page