Cachet can be configured to notify external services of various events using webhooks. Webhooks are HTTP callbacks that are triggered by specific events. When an event occurs, Cachet sends an HTTP POST request to the configured URL with a JSON payload containing information about the event. Webhooks consist of:
  • Payload URL: The URL that Cachet will send the webhook to.
  • Secret: A secret key that is used to sign the webhook payload. This can be used to verify that the payload was sent by Cachet and not a third party.
  • Events: The events that will trigger the webhook.
The Cachet dashboard provides a user-friendly interface for managing webhooks. You can add, edit, and delete webhooks from the “Manage Webhooks” page.

Supported Events

Cachet currently supports the following events:
  • component_created
  • component_updated
  • component_deleted
  • component_status_changed
  • incident_created
  • incident_updated
  • incident_deleted
  • metric_created
  • metric_updated
  • metric_deleted
  • metric_point_created
  • metric_point_deleted
  • subsciber_created
  • subscriber_unsubscribed
  • subscribed_verified
Cachet may add more events in the future. Check the latest documentation for the most up-to-date list of supported events.

Receiving Webhooks

User Agent

Cachet will send a User-Agent header with the request. The value of the User-Agent header will be: 
Cachet/3.0 Webhook (+https://docs.cachethq.io)

Payload

The payload sent by Cachet will contain information about the event that triggered the webhook. The payload will be a JSON object with the following structure: 
{
  "event": "incident_updated",
  "body": {
    "id": 3,
    "component_id": null,
    "name": "Test",
    "status": 2,
    "message": "sdsd",
    "created_at": "2025-01-09T13:44:30.000000Z",
    "updated_at": "2025-01-09T13:49:54.000000Z",
    "deleted_at": null,
    "visible": 1,
    "stickied": false,
    "occurred_at": null,
    "user_id": 1,
    "notifications": false,
    "guid": "19801cb7-883c-490e-8569-e552b013b2cc",
    "external_provider": null,
    "external_id": null
  }
}

Signature Verification

When a webhook is triggered, Cachet will send a Signature header with the request. This header is used to verify that data was not tampered with during transit. The signature is computed by hashing the request body with the secret key and comparing it to the value in the Signature header.

Verifying Signatures

$configuredSigningSecret = 'your-signing-secret';

$computedSignature = hash_hmac('sha256', $request->getContent(), $configuredSigningSecret);

if ($computedSignature !== $request->header('Signature')) {
    abort(500);
}