Integration

Use signed webhooks when certificate warnings should trigger internal automation.

Signed webhooks help teams turn expiry, validation, and certificate-change events into tickets, inventory updates, or incident routing without trusting unsigned payloads.

Alert route

Critical warnings are routed

Slack + email

Expiry, validation, and certificate-change events keep the route and delivery attempts attached to the hostname.

SeverityFinal-week expiry
Slack#certificates delivered
WebhookSigned payload ready
Alert routing

Route warnings by workspace, hostname, channel, and severity.

Alert routes show which events go to Slack, email, or signed webhooks before a missed warning becomes a second problem.

01

Endpoint setup

Use the integration page to decide what automation should happen, then use the webhook docs for payload and signature implementation. Add an HTTPS receiver URL in the dashboard, store the one-time signing secret in your receiver configuration, and rotate it from the channel page when ownership changes.

  • Use HTTPS receivers your team operates or is authorized to configure.
  • Store the generated signing secret outside source code.
  • Rotate the channel secret after receiver migrations or suspected exposure.
  • Treat receiver failures as alert-path issues, not as certificate state.
02

Automation examples

Signed certificate events can update systems that already own operational follow-up. Keep the receiver narrow so certificate alerts create useful work instead of noisy automation.

  • Create tickets only for events that need human follow-up.
  • Filter webhook routes by event class and expiry window before creating tickets.
  • Update inventory on certificate-change events instead of every routine check.
  • Keep receiver logs tied to delivery IDs for troubleshooting.
Webhook automation targets
TargetTriggerUseful payload fields
Ticketing7-day expiry, expired, or validation failure.Hostname, severity, deadline, event type, monitor link.
InventoryIssuer, SAN, fingerprint, validity, or chain change.Certificate fields, previous and current values, checked time.
Incident routingCritical validation failure on app, API, checkout, or identity.Severity, failure class, owner tags, delivery ID.
Client reportingAgency-managed client hostname warning or change.Client tag, hostname, deadline, delivery state.
03

Signature verification belongs in the docs

The webhook docs cover raw-body signature verification, replay tolerance, retry behavior, payload fields, idempotency, and secret rotation. Use this integration page to choose the workflow; use the docs before acting on received payloads.

04

Retries and logs

Transient HTTP or network failures retry on the alert delivery schedule. Each attempt remains visible with status and provider error text when available.

FAQ2 answers
  1. What can signed webhooks be used for?

    Signed webhooks can forward certificate expiry, validation, and change events into internal automation, ticketing, inventory, or incident routing systems.

  2. How does replay protection work?

    Receivers should verify the signature and reject stale timestamp headers. Domain Trust Watch documents the timestamp plus body signing model so receivers can enforce a replay tolerance.

Verify before acting

Read the signing docs before creating tickets from certificate warnings.

Webhook receivers should verify signatures and timestamps before they update internal systems.