SigSentry Documentation

Send analysis results to any HTTPS endpoint, optionally authenticated with Bearer token or HMAC signature

Use the Generic Webhook channel to send notifications to any HTTPS endpoint — your own service, a third-party platform we don't have a native adapter for, or a serverless function. Both Bearer token authentication and HMAC-SHA256 signing are optional.

When to use this

If you want to...	Use this channel
Forward analyses to your in-house alerting	✅
Trigger a Zapier / Make / n8n workflow	✅
Post into a platform we don't have a native adapter for	✅
Verify the request actually came from SigSentry	✅ (HMAC signing)

Setup walkthrough

Stand up an HTTPS endpoint

The endpoint must:

Accept POST requests
Be reachable from SigSentry's API (public or appropriately network-accessible)
Return a 2xx status on success
Respond quickly; long-running work should be enqueued and processed asynchronously

(Optional) Generate an HMAC secret

If you want to verify signatures, generate a random secret of at least 32 bytes:

openssl rand -hex 32

Save this — you'll paste it into both SigSentry and your endpoint's verification logic.

Add the channel in SigSentry

Project → Channels → Add Channel.

Field	Value
Type	Generic Webhook
Name	Descriptive label, e.g. `internal-alerting`
URL	Your HTTPS endpoint
Auth header	(Optional) e.g. `Bearer <your-token>`
HMAC secret	(Optional) The secret you generated
Severity threshold	Lowest severity to trigger this channel

Save and verify

Click Save. Run a test analysis. Your endpoint should receive a POST request with the JSON payload.

Payload shape

The body is a JSON object:

{
  "analysisId": "anl_abc123",
  "tenantId": "tnt_xyz789",
  "projectId": "prj_def456",
  "projectSlug": "prod",
  "severity": "high",
  "summary": "Checkout API returning 500s due to expired auth tokens",
  "rootCause": {
    "service": "checkout-api",
    "errorType": "AuthenticationError",
    "category": "deploy_regression"
  },
  "affectedServices": [
    { "name": "checkout-api", "role": "origin", "errorCount": 142 }
  ],
  "suggestedActions": [
    { "type": "fix", "action": "Revert PR #482 or hotfix token check", "priority": 1 }
  ],
  "url": "https://dashboard.sigsentry.com/dashboard/projects/prod/analyses/anl_abc123",
  "timestamp": "2026-04-25T18:00:00.000Z"
}

The full schema is documented in the Outgoing webhooks reference.

Verifying signatures (HMAC)

When you configure an HMAC secret, SigSentry signs every request with the header X-SigSentry-Signature: sha256=<hex>. Verify on your end by computing HMAC-SHA256 of the raw body bytes with your secret and comparing in constant time.

import { createHmac } from 'node:crypto';

function isValid(body, signature, secret) {
  const expected = 'sha256=' + createHmac('sha256', secret)
    .update(body)
    .digest('hex');
  return signature === expected;
}

import hmac, hashlib

def is_valid(body: bytes, signature: str, secret: str) -> bool:
    expected = 'sha256=' + hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(signature, expected)

Always sign the raw bytes of the request body before any JSON parsing. Re-serializing JSON in your handler can change whitespace and break signature verification.

Symptom	Likely cause
Endpoint receives no requests	Channel inactive, severity below threshold, or URL unreachable
Signature mismatch	Verifying parsed JSON instead of raw bytes; whitespace changed
Endpoint sees 401 from SigSentry's perspective	The Auth header value is wrong format (missing `Bearer` prefix?)
Slow / timing out	Endpoint takes >10s; SigSentry retries; reduce endpoint work or queue async

Generic Webhook

When to use this

Setup walkthrough

Stand up an HTTPS endpoint

(Optional) Generate an HMAC secret

Add the channel in SigSentry

Save and verify

Payload shape

Verifying signatures (HMAC)

Bearer token auth

Retries and idempotency

Troubleshooting

On this page