Observer

Webhooks

Observer allows you to configure webhooks to receive real-time notifications whenever the status of a metric changes. This is useful for integrating with incident management systems, chat platforms, or custom automation workflows.

Registering webhooks

To register a new webhook, you need to have a URL in your app that Observer can call, and a secret key to verify the request. Once you have these, you can configure the webhook in your Observer console.

  • Navigate to Webhook Settings: Go to Settings > Integrations > Webhooks.
  • Add a New Webhook: Click "Add Webhook" and enter your webhook URL.
  • Set Up Secret Key: Enter a secret key to verify the request.
  • Set Up Headers (Optional): You can add custom headers, such as authentication tokens, for security.
  • Test the Webhook: Click "Send Test Event" to ensure your endpoint receives and processes the webhook correctly.

How Webhooks Work

When a metric's status changes, Observer sends an HTTP POST request to your configured webhook URL with the following JSON payload:

Example webhook payload

{
  "metric_name": "Test Metric",
  "status": "unhealthy",
  "timestamp": 1672531200
}

In the example above, the following fields are included:

FieldDescription
metric_nameThe name of the metric that triggered the webhook.
statusThe new status of the metric. Possible values: healthy, unhealthy, degraded, and no_data*.
timestampThe Unix timestamp of the status change event.

When the status is no_data, it indicates that the metric has no data points.

Security

To ensure the integrity of webhook requests, Observer includes an x-protocol-signature header in each request. This signature is an HMAC SHA-256 hash of the request payload, generated using your secret webhook key.

Best Practices

  • Use HTTPS: Ensure your webhook URL is secure to prevent data interception.
  • Validate Requests: Observer signs requests using a secret key. Validate this signature to prevent spoofed requests.
  • Rate Limits: Observer enforces rate limits to prevent webhook flooding in case of frequent status changes.

Verifying a request

To verify the request, compute the HMAC hash of the received payload using your secret key and compare it to the provided signature. If they don’t match, reject the request as it may be tampered with. Always use HTTPS and rotate your secret keys periodically for enhanced security.

Verifying a request

const crypto = require('crypto')

function verifySignature(secret, payload, signature) {
  const hash = crypto.createHmac('sha256', secret).update(payload).digest('hex')
  return hash === signature
}