Документация · Интеграции
Настройка Webhooks
Configure incoming and outgoing webhooks to integrate VantaStatus with Slack, Jira, or your own monitoring systems. Receive real-time alerts when monitored endpoints change status.
Overview
What Are Webhooks in VantaStatus?
Webhooks let VantaStatus push event notifications directly to your HTTP endpoint the moment something changes. Instead of polling our API for status updates, you register a URL and receive a JSON payload on every state transition — endpoint down, endpoint recovering, latency exceeding threshold, or TLS certificate expiring within 30 days.
Outgoing Webhooks
VantaStatus sends POST requests to your endpoint when monitored resources change state. You configure the target URL, HTTP headers, and which event types trigger a delivery. Each webhook supports retry logic with exponential backoff (1 min, 5 min, 15 min, 60 min) and a 4-hour expiration window.
Incoming Webhooks
External services can POST to your unique VantaStatus webhook URL to update custom endpoint statuses or submit synthetic check results. This is useful when you run health checks from your own infrastructure and want to feed results back into the VantaStatus dashboard.
Webhook Groups
Organize endpoints into groups and assign separate webhook URLs per group. For example, one group for production APIs (alerts to #prod-incidents in Slack), another for staging environments (alerts to a dedicated Jira queue). Groups inherit your account's default retry and timeout settings.
Schema
Payload Structure
Every webhook delivers a JSON payload with a consistent envelope. The event field determines the structure of the data object. All timestamps are in ISO 8601 UTC format.
{
"id": "wh_evt_9f82a1c4d7e6",
"event": "endpoint.down",
"timestamp": "2025-01-14T08:32:17Z",
"webhook_id": "wh_3b71f092",
"account_id": "acc_vanta_prod_001",
"data": {
"endpoint_id": "ep_msk_api_04",
"endpoint_name": "MSK-API-PROD",
"url": "https://api.example.ru/v2/health",
"previous_status": "up",
"current_status": "down",
"last_success": "2025-01-14T08:27:01Z",
"first_failure": "2025-01-14T08:32:17Z",
"failure_count": 3,
"last_response_code": 502,
"last_response_time_ms": null,
"check_interval_sec": 60,
"group": "production"
}
}Supported Events
endpoint.up — endpoint recovered from a down stateendpoint.down — endpoint failed consecutive checksendpoint.degraded — response time exceeded threshold (e.g., >2000ms)endpoint.certificate.expiring — TLS cert expires within configured windowendpoint.dns.changed — resolved IP address changedendpoint.body.changed — response body hash differs from last known good
Request Headers
Content-Type: application/jsonX-VantaStatus-Signature: sha256=...X-VantaStatus-Event: endpoint.downX-VantaStatus-Timestamp: 1736837537X-VantaStatus-Webhook-ID: wh_3b71f092X-VantaStatus-Retry-Count: 0 (increments on retries)
Verification
Security & Signature Verification
Every outgoing webhook includes an HMAC-SHA256 signature so you can verify the payload originated from VantaStatus and was not tampered with in transit. Your webhook secret is generated at creation time and is viewable only once.
How to verify: Compute HMAC-SHA256 over the raw request body using your webhook secret as the key. Compare the result with the value in X-VantaStatus-Signature header. The signature format is sha256=<hex>. Reject any request where the signature does not match or the timestamp in X-VantaStatus-Timestamp is more than 5 minutes old.
// Node.js example
const crypto = require('crypto');
function verifySignature(rawBody, signature, secret) {
const expected = 'sha256=' +
crypto.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}TLS Requirements
Your webhook endpoint must accept HTTPS connections with TLS 1.2 or higher. Self-signed certificates are not accepted. VantaStatus uses HTTP/1.1 with a 30-second timeout for the full round trip including DNS resolution, TLS handshake, and response.
IP Allowlisting
Webhook requests originate from these CIDR ranges: 91.234.56.0/24 (Moscow), 185.12.78.0/24 (Saint Petersburg). If your firewall requires allowlisting, add both ranges. We do not guarantee these ranges will remain static — always verify signatures instead of relying on IP filtering alone.
Integrations
Examples
Step-by-step configurations for the most common integrations. Each example assumes you have already created a webhook in your VantaStatus dashboard and noted the secret.
Slack
1. In Slack, go to Apps → Build → Your Apps → Create New App. Enable Incoming Webhooks and add a new webhook to your target channel (e.g., #monitoring-alerts). Copy the webhook URL.
2. In VantaStatus dashboard, navigate to Settings → Webhooks → Add Webhook. Set the URL to your Slack webhook URL. Add these custom headers:
Content-Type: application/json
3. Use a formatter function or a middleware endpoint to transform the VantaStatus payload into Slack's block format. A minimal payload looks like:
{
"channel": "#monitoring-alerts",
"username": "VantaStatus Bot",
"icon_emoji": ":warning:",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "🔴 MSK-API-PROD is DOWN"
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*URL:*\nhttps://api.example.ru/v2/health"
},
{
"type": "mrkdwn",
"text": "*Status:*\n502 Bad Gateway (3 failures)"
}
]
}
]
}Jira
1. Create a Jira Automation rule: Trigger — Webhook. Set the payload structure to match VantaStatus events. The rule will fire when a POST arrives at your generated Jira webhook URL.
2. In the automation action, configure Create Issue with these mappings:
Project: OPS (Operations)
Issue Type: Incident
Summary: {{data.endpoint_name}} — {{data.current_status}}
Labels: monitoring, {{data.group}}
Description: include data.url, data.failure_count, and data.last_response_code
3. Copy the Jira webhook URL into your VantaStatus webhook configuration. Set the event filter to endpoint.down only to avoid creating issues for recovery events — those can be handled by a separate automation rule that transitions the issue to Done when endpoint.up arrives.
Tip: Use the data.group field to route production incidents to OPS and staging incidents to QA by adding a Smart Value condition in Jira Automation.
Custom Monitoring Endpoint
If you run your own monitoring stack (Grafana, Datadog, Prometheus Alertmanager, or an internal incident platform), you can point a VantaStatus webhook directly to an HTTP receiver. Below is a minimal Express.js receiver that validates the signature, logs the event, and forwards it to a local message queue.
const express = require('express');
const crypto = require('crypto');
const app = express();
const WEBHOOK_SECRET = process.env.VANTA_WEBHOOK_SECRET;
app.post('/webhooks/vantastatus', express.raw({ type: 'application/json' }), (req, res) => {
const signature = req.headers['x-vantastatus-signature'];
const timestamp = req.headers['x-vantastatus-timestamp'];
// Verify timestamp freshness (5-minute window)
const now = Math.floor(Date.now() / 1000);
if (Math.abs(now - parseInt(timestamp, 10)) > 300) {
return res.status(401).send('Stale timestamp');
}
// Verify HMAC signature
const expected = 'sha256=' +
crypto.createHmac('sha256', WEBHOOK_SECRET)
.update(req.body)
.digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected))) {
return res.status(401).send('Invalid signature');
}
const payload = JSON.parse(req.body);
console.log(`[${payload.event}] ${payload.data?.endpoint_name || 'unknown'}`);
// Forward to your internal queue (Redis, RabbitMQ, etc.)
// queue.publish('vantastatus.events', payload);
res.status(200).send('OK');
});
app.listen(3000);
Idempotency note: VantaStatus may deliver the same event more than once during network partitions. Use the id field (wh_evt_9f82a1c4d7e6) as a deduplication key. Store processed event IDs in a set or a database with a TTL of at least 24 hours. Events with the same id are guaranteed to carry identical data payloads.
Next Steps
Manage Your Webhooks
All webhook configuration is available in the VantaStatus dashboard under Settings → Webhooks. You can view delivery logs, test payloads by sending a sample event, rotate secrets, and toggle individual webhooks on or off without deleting them.