Add a webhook endpoint
1
Open webhook settings
In the Aegis dashboard, go to Settings → Webhooks.
2
Enter your endpoint URL
In the Endpoints card, paste your HTTPS endpoint URL into the input field. The URL must be publicly reachable by Aegis.
3
Click Add
Click Add. The endpoint is registered immediately with the default event set:
approval and denied. You can see the active events listed next to the endpoint URL.Supported events
Aegis forwards the following event types to your webhook endpoints:
New endpoints receive
approval and denied events by default.
Webhook payload structure
Aegis delivers events as HTTP POST requests with aContent-Type: application/json header. Each payload includes the following fields:
Example payload:
Verify webhook signatures
Every request Aegis sends includes anX-Aegis-Signature header. Use your signing secret to verify the header value before processing the payload, this confirms the request came from Aegis and was not tampered with in transit.
Your signing secret is displayed in the Signing secret card under Settings → Webhooks. It starts with whsec_.
The verification flow:
1
Read the raw request body
Capture the raw bytes of the POST body before parsing the JSON. Signature verification must run against the raw body, not a re-serialized version.
2
Compute an HMAC-SHA256 digest
Compute
HMAC-SHA256(raw_body, signing_secret) using your whsec_... value as the key.3
Compare to the header
Compare your computed digest to the value in the
X-Aegis-Signature header using a constant-time comparison. If they match, the payload is authentic.Rotate your signing secret
If your signing secret is exposed or you want to rotate it as part of regular key hygiene:- Go to Settings → Webhooks.
- In the Signing secret card, click Rotate.
- Copy the new
whsec_...value. - Update your signature verification code with the new secret.