Skip to main content
Outbound webhooks send workspace events to external systems, such as internal tools, automations, queues, chatops, or observability tools. Use Console > Webhooks to create, test, activate, deactivate, edit, and track deliveries.

When to use

Use webhooks when:
  • an external system needs to react to Acrity events;
  • an internal automation should receive notifications;
  • you need to feed observability, audit, or dashboards;
  • integrations through API polling are not desirable.
Use Console > API Keys when the external system needs to actively query data.

Who can access

Managing webhooks requires a Workspace admin (platform admins also have access). Roles are fixed capability sets defined by Acrity, not configurable per workspace.

Main fields

FieldPurpose
NameIdentifies the webhook in the Console.
URLExternal endpoint that will receive the event.
MethodHTTP method used for delivery.
Content typeFormat of the sent body.
EventsEvent types that trigger the webhook.
HeadersAdditional headers sent in the request.
Secret headersHeaders whose value should be protected and not displayed again.
HMACSignature that allows the recipient to verify origin.
Body templateOptional template to customize the sent payload.
Ignore SSL VerificationSkips TLS certificate validation for the destination. Exceptional option for controlled environments. Avoid in production.

Create a webhook

New outbound webhook form with endpoint, HTTP method, headers, and payload configuration
1

Open webhooks

Go to Console > Webhooks.
2

Create new

Choose New webhook.
3

Enter destination

Fill in name, URL, method, and content type.
4

Select events

Choose the events that should trigger the webhook.
5

Configure security

Add required headers and enable HMAC when the recipient can validate signatures.
6

Test

Use the Test event action to send a sample delivery and preview the request before enabling in production.
7

Save

Save and monitor the first deliveries.

Headers and secrets

Use headers to send tokens, identifiers, or information required by the destination. Best practices:
  • mark any header that contains a token or secret as secret;
  • do not put secrets in the webhook name;
  • prefer token rotation in the destination system;
  • remove headers that are not used;
  • document the endpoint owner internally.

HMAC

HMAC allows the destination system to validate that the payload came from Acrity and was not changed in transit. Use HMAC whenever the destination supports signature verification. When enabling:
  1. Generate or enter a strong secret.
  2. Configure the same secret in the destination system.
  3. Test a delivery.
  4. Reject payloads without a valid signature at the destination.
For a step-by-step recipe on validating the signature at the receiver, see Webhook signatures.

Body template

The body template customizes the body sent. Use it when the destination expects a specific format. Recommendations:
  • start with a simple payload;
  • validate with preview before saving;
  • avoid including unnecessary sensitive data;
  • maintain compatibility with the destination system;
  • version important changes on the receiver side.

Test delivery

Before activating a critical webhook:
  • use the Test event action;
  • confirm destination response status;
  • check receiver system logs;
  • validate HMAC signature when enabled;
  • review headers and content type;
  • confirm that the expected payload arrived.

Delivery history

The webhook detail page can display delivery history. Use this history to investigate:
  • successful or failed sends;
  • status returned by the destination;
  • response time;
  • test or delivery payload when shown by the screen;
  • connection, TLS, or validation errors.

Activate and deactivate

Deactivate a webhook when:
  • the destination is under maintenance;
  • the endpoint was replaced;
  • secret exposure is suspected;
  • the integration is generating noise;
  • you need to pause deliveries temporarily.
Reactivate only after validating the destination.

Common issues

SymptomWhat to check
Webhook does not saveCheck URL, method, content type, events, and screen validations.
Test returns an errorCheck whether the endpoint is publicly reachable or reachable through the expected network.
Destination rejects payloadCheck content type, template, and schema expected by the receiver.
Invalid signatureCheck HMAC secret on both sides and whether the receiver uses the correct raw payload.
TLS errorFix destination certificate. Avoid ignoring SSL in production.

Security

Webhooks can send operational data outside Acrity. Configure only trusted destinations and periodically review which events are active. Details about data handling are in Security > Data handling.