Skip to main content

Webhook integration

Ensure successful webhook integration and handle failure cases

With the webhook integration, you can now receive notifications about updates to your reports directly within the tools used by your organisation. Activate or deactivate events such as “new report”, “new comment”, or “assessment” in the webhook configuration to automatically receive notifications when these events occur.

How to configure a webhook integration?

ℹ️ You must be a Business Unit Owner or a Business Unit Manager to configure a webhook integration.

⚠️ Notes:

  • A webhook is configured at the Business Unit level.

  • You must have at least one program in your Business Unit to configure a webhook.

  • A business unit can only have one webhook integration at a time.

  • Go to the “Admin panel”

  • Click on “Integrations” in the left-side menu

  • Select the “Webhook notifications” tab

  • Click on “Configure”

  • Fill in the webhook URL

⚠️ The provided URL must be in HTTPS.

  • Select which events you want to receive notifications for:

    • New report (ie. when a new report has been submitted)

    • Comment (ie. when a new comment has been submitted)

    • Triage assessment (ie. when the report has been assessed by triagers)

  • Click on “Configure”

  • The webhook is now configured at the Business Unit level.

ℹ️ Notes

  • An existing configuration can be modified using the “Edit configuration” button.

  • Click “Delete configuration” to remove the webhook integration.

Verify your signature

When you configure a webhook, a secret is automatically generated to help you verify the signature of incoming webhook requests. You can edit this secret during configuration. This secret is used in every webhook request to generate a signature that can be verified by your application.

The signature is generated from:

  • the event name

  • the event ID

  • the encoded body

  • an optional custom value configured by your organisation on the YWH platform (ie. Secret).

[Snippet Python]

import hashlib
import hmac


def verify_yeswehack_webhook_signature(
raw_body: bytes,
event_name: str,
event_id: str,
signature_header: str,
secret: str,
) -> bool:
if not signature_header.startswith("sha256="):
return False

signed_payload = event_name.encode("utf-8") + event_id.encode("utf-8") + raw_body

expected_signature = hmac.new(
secret.encode("utf-8"),
signed_payload,
hashlib.sha256,
).hexdigest()

received_signature = signature_header.removeprefix("sha256=")

return hmac.compare_digest(expected_signature, received_signature)

> Important note: raw_body must be exactly the raw body received (e.g., request.get_data())

ℹ️ The encryption is performed using SHA-256 and Hash_Mac function.

⚠️ You must use the same secret in both the YWH platform and your organisation's tool for the integration to work.

Error message

If the webhook configuration fails for technical reasons, an automatic retry is triggered. After three consecutive failures, an error message is displayed.

Several issues may prevent the webhook integration from being configured:

  • An issue on the customer side related to the request (e.g., 400 Bad Request),

  • An issue on the server side (e.g., 500 Internal Server Error),

  • An issue related to a redirect loop preventing the configuration from reaching the final page,

  • A timeout issue (e.g., the page does not load correctly).

ℹ️ If you cannot identify the cause of an error message, please contact your CSM for assistance with the webhook configuration.

Verify your integration

if you have configured a webhook integration and want to ensure it works correctly, manually test your webhook configuration to confirm it is functional.

  • Click on “Test configuration”

  • A new window will open to inform you that the verification is currently in progress.

⚠️ Do not close this window during the webhook configuration verification.

  • First case: the verification succeeded. You can close the window.

If the configuration cannot be validated, an error message is displayed. Update your configuration to complete the process.

Did this answer your question?