Docs/Webhooks

Webhooks

Webhooks let you receive real-time HTTP notifications when Shingo discovers new findings, completes an analysis run, or detects a change in connector status.

Webhooks are currently in early access. Book a demo to enable webhooks for your account.

Event types

finding.created

Fired when a new finding is discovered. Includes the full execution package.

finding.updated

Fired when a finding's status changes (e.g., resolved, dismissed).

analysis.completed

Fired when an analysis run finishes. Includes summary stats.

connector.error

Fired when a connector encounters an authentication or data error.

connector.synced

Fired when a connector completes a data sync cycle.

Payload format

Webhook payloads are sent as JSON POST requests to your configured endpoint:

{
  "event": "finding.created",
  "timestamp": "2026-03-10T14:30:00Z",
  "data": {
    "id": "shg_2847",
    "severity": "critical",
    "confidence": 0.94,
    "root_cause": "JS lib v2.4.0 broke mobile validation",
    "revenue_impact": {
      "annual": 1800000,
      "currency": "USD"
    },
    "suggested_fix": "Revert to v2.3.1"
  }
}

Verification

Every webhook request includes a signature header for verification:

X-Shingo-Signature: sha256=xxxxxxxxxxxxxxxx

Verify the signature by computing HMAC-SHA256 of the raw request body using your webhook secret. Reject requests where the signature doesn't match.

Retry policy

If your endpoint returns a non-2xx status code, Shingo retries with exponential backoff:

1st retry

1 minute

2nd retry

5 minutes

3rd retry

30 minutes

After 3 failed attempts, the webhook is marked as failed and you'll receive an email notification. Failed webhooks can be retried manually via the API.

Previous

← REST API