Overview
Webhooks deliver events to your endpoint as they happen. Use them to trigger remediation workflows, update dashboards, or notify your team.
Events
| Event | Description |
|---|
scan.created | A new pentest has been started |
scan.completed | A pentest finished successfully |
scan.failed | A pentest failed during execution |
scan.cancelled | A pentest was cancelled |
vulnerability.created | A new vulnerability was found |
vulnerability.status_changed | A vulnerability status was updated |
* | Subscribe to all events |
Create a webhook
curl -X POST "https://app.strix.ai/api/v1/webhooks" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-app.com/strix-webhook",
"events": ["scan.completed", "vulnerability.created"],
"is_active": true
}'
webhooks:write
The response includes a secret field — store it securely. It will not be shown again.
Verify webhook signatures
Every webhook delivery includes signature headers for verification:
| Header | Description |
|---|
X-Strix-Event | The event type (e.g. scan.completed) |
X-Strix-Delivery | Unique delivery ID (use as idempotency key) |
X-Strix-Timestamp | ISO 8601 timestamp of when the event was sent |
X-Strix-Signature | HMAC-SHA256 signature for payload verification |
Signature verification (Node.js)
import crypto from "crypto";
export function verifyStrixWebhook(rawBody, headers, secret) {
const signature = headers["x-strix-signature"];
const timestamp = headers["x-strix-timestamp"];
if (!signature || !timestamp) return false;
const parsedTime = Date.parse(timestamp);
const ageMs = Math.abs(Date.now() - parsedTime);
if (!Number.isFinite(parsedTime) || ageMs > 5 * 60 * 1000) return false;
const payload = `${timestamp}.${rawBody}`;
const expected = crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}
Always verify the signature before processing webhook payloads. Reject requests with expired timestamps (older than 5 minutes) to prevent replay attacks.
Delivery and retries
Events are delivered asynchronously with retries and exponential backoff. Use the X-Strix-Delivery header as an idempotency key when processing events to handle potential duplicate deliveries.
Manage webhooks
List webhooks
curl -X GET "https://app.strix.ai/api/v1/webhooks" \
-H "Authorization: Bearer <YOUR_API_TOKEN>"
webhooks:read
Update a webhook
curl -X PATCH "https://app.strix.ai/api/v1/webhooks/<WEBHOOK_ID>" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"events": ["*"], "is_active": true}'
webhooks:write
Rotate webhook secret
curl -X PATCH "https://app.strix.ai/api/v1/webhooks/<WEBHOOK_ID>" \
-H "Authorization: Bearer <YOUR_API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"rotate_secret": true}'
secret. The old secret is invalidated immediately.
Required scope: webhooks:write
Delete a webhook
curl -X DELETE "https://app.strix.ai/api/v1/webhooks/<WEBHOOK_ID>" \
-H "Authorization: Bearer <YOUR_API_TOKEN>"
webhooks:write
Inspect deliveries
curl -X GET "https://app.strix.ai/api/v1/webhooks/<WEBHOOK_ID>/deliveries?limit=25" \
-H "Authorization: Bearer <YOUR_API_TOKEN>"
webhooks:read