# Webhook Notifications

Webhooks allow Catchify to send real-time notifications to any system that can receive HTTP requests. This is useful if you want to integrate Catchify with custom tools, internal dashboards, ticketing systems, or communication platforms beyond Slack and Jira.

## What Are Webhooks?

A webhook is a way for Catchify to automatically send information to another system when something happens -- like a new finding being discovered or a report being submitted. Instead of your system checking Catchify for updates, Catchify pushes updates to your system as they occur.

## Setting Up a Webhook

1. Navigate to **Integrations** in the main menu
2. Find the **Webhooks** card and click **Configure**
3. Click **Add Webhook**
4. Enter the following details:
   * **URL** -- The endpoint where Catchify should send notifications (provided by your receiving system)
   * **Name** -- A friendly name for this webhook (for example, "Internal Dashboard" or "ServiceNow Integration")
   * **Events** -- Select which events should trigger this webhook
5. Click **Save**

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-webhooks.png?alt=media" alt="Webhook configuration form with URL, name, and event selection"><figcaption><p>Add a webhook by providing a URL and selecting which events to send</p></figcaption></figure>

## Available Events

You can configure your webhook to send notifications for any combination of these events:

| Event                 | When It Fires                                 |
| --------------------- | --------------------------------------------- |
| **finding.created**   | A new finding is discovered                   |
| **finding.updated**   | A finding's status or details change          |
| **report.created**    | A new bug bounty report is submitted          |
| **report.updated**    | A bug bounty report status changes            |
| **retest.completed**  | A retest has been completed                   |
| **project.started**   | A penetration testing engagement begins       |
| **project.completed** | A penetration testing engagement finishes     |
| **comment.created**   | A new comment is added to a finding or report |

## What Gets Sent

When an event occurs, Catchify sends an HTTP POST request to your webhook URL. The request includes a JSON body with details about the event, such as:

* The event type
* A timestamp
* Key details about the finding, report, or project that triggered the event
* A link to view the full details in the Catchify portal

{% hint style="info" %}
Your technical team can use the event data to build custom workflows -- for example, automatically creating tickets in a custom ticketing system, updating a security dashboard, or triggering alerts in a monitoring tool.
{% endhint %}

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-webhooks.png?alt=media" alt="Webhook delivery log showing recent events with status and response codes"><figcaption><p>The delivery log shows the status of every webhook notification sent</p></figcaption></figure>

## Securing Your Webhooks

To ensure that webhook notifications are genuinely from Catchify (and not from a malicious source), each webhook request includes an HMAC signature in the request headers. Your receiving system can verify this signature to confirm the request is authentic.

When you create a webhook, Catchify generates a **signing secret** that is displayed once. Share this secret with your technical team so they can configure signature verification on the receiving end.

{% hint style="warning" %}
Store your webhook signing secret securely. If you lose it, you can regenerate a new one from the webhook settings -- but you will need to update your receiving system with the new secret.
{% endhint %}

## Managing Your Webhooks

From the Webhooks configuration page, you can:

* **View delivery history** -- See a log of all notifications sent, including response codes from your endpoint
* **Edit a webhook** -- Change the URL, name, or selected events
* **Test a webhook** -- Send a test event to verify your endpoint is working
* **Disable a webhook** -- Temporarily stop sending notifications without deleting the configuration
* **Delete a webhook** -- Permanently remove the webhook

<figure><img src="https://1934022057-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSEbSDqwQ0dOF3yycuHLw%2Fuploads%2Fgit-blob-9e4e0d1bf53f6267d13bff58f533223cee60cbfb%2Fintegrations-webhooks.png?alt=media" alt="Webhook list showing configured webhooks with edit and delete options"><figcaption><p>Manage all your webhooks from one page</p></figcaption></figure>

## Troubleshooting

If your webhook notifications are not arriving:

* **Check the delivery log** -- Look for error response codes that indicate what went wrong
* **Verify the URL** -- Make sure the webhook URL is correct and publicly accessible
* **Check your firewall** -- Ensure your receiving system allows incoming requests from external sources
* **Review the endpoint** -- Make sure your endpoint returns a 200 status code to acknowledge receipt

If deliveries fail repeatedly, Catchify will automatically disable the webhook after a number of consecutive failures. You will see a notification in the portal when this happens.

{% hint style="success" %}
Webhooks are the most flexible way to integrate Catchify with your existing tools and workflows. If you can receive an HTTP request, you can integrate with Catchify.
{% endhint %}