You can configure Cachet to notify external services of various events using webhooks. Webhooks are HTTP callbacks
triggered by specific events. When an event occurs, Cachet sends an HTTP POST request to the configured URL
with a JSON payload containing information about the event. Webhooks consist of:
- Payload URL: The URL that Cachet will send the webhook to.
- Secret: A secret key used to sign the webhook payload. Use it to verify that the payload came from Cachet
and not a third party.
- Events: The events that will trigger the webhook.
The Cachet dashboard provides a user-friendly interface for managing webhooks. You can add, edit, and delete webhooks
from the “Manage Webhooks” page.
Supported events
Cachet currently supports the following events:
component_created
component_updated
component_deleted
component_status_changed
incident_created
incident_updated
incident_deleted
metric_created
metric_updated
metric_deleted
metric_point_created
metric_point_deleted
subscriber_created
subscriber_unsubscribed
subscriber_verified
Cachet may add more events in the future. Check the latest documentation for the most up-to-date list of supported events.
Receiving webhooks
User agent
Cachet will send a User-Agent header with the request. The value of the User-Agent header will be:
Cachet/3.0 Webhook (+https://docs.cachethq.io)
Payload
The payload Cachet sends contains information about the event that triggered the webhook. The payload is a JSON
object with the following structure:
{
"event": "incident_updated",
"body": {
"id": 3,
"component_id": null,
"name": "Test",
"status": 2,
"message": "We have identified the issue and are working on a fix.",
"created_at": "2025-01-09T13:44:30.000000Z",
"updated_at": "2025-01-09T13:49:54.000000Z",
"deleted_at": null,
"visible": 1,
"stickied": false,
"occurred_at": null,
"user_id": 1,
"notifications": false,
"guid": "19801cb7-883c-490e-8569-e552b013b2cc",
"external_provider": null,
"external_id": null
}
}
Signature verification
When a webhook fires, Cachet sends a Signature header with the request. Use this header to verify the data was not
modified in transit. Cachet computes the signature by hashing the request body with the secret key. To verify it,
compute the same hash and compare it to the value in the Signature header.
Verifying signatures
$configuredSigningSecret = 'your-signing-secret';
$computedSignature = hash_hmac('sha256', $request->getContent(), $configuredSigningSecret);
if ($computedSignature !== $request->header('Signature')) {
abort(500);
}