Custom Webhooks

Custom webhooks are triggered by Steadybit whenever e.g. an experiment has started or failed. You can configure them at Settings / Application Settings / Integrations / Custom webhook. The content type is application/json and the message is described in our OpenAPI specification as WebhookPayload.


The name for this integration will not show up in the JSON body.


The URL, which will receive a HTTP Post request with the JSON body


You may a specify a secret which will be used to sign the body. Verifying the signature. optional


If no team is specified, you'll receieve all events. If you do specify a team you'll only receive events relevant for this team


You may select the events you want to recieve.

Verifying the Signature

If a secret is provided a signature of the body is computed using HMAC SHA-256 and sent as X-SB-Signature http header. You can use this header to verify the message.

Here is an example of doing this in Java:

private static boolean validateSignature(byte[] body, String secret, String header) throws Exception {
    //calculate the signature using the secret
    Mac mac = Mac.getInstance("HmacSHA256");
    mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
    byte[] signature = mac.doFinal(body);

    //remove the algorithm prefix and decode the hex to bytes[]
    byte[] receivedSignature = Hex.decode(header.replaceFirst("^hmac-sha256 ", ""));

    //compare using time-constant algorithm
    return MessageDigest.isEqual(signature, receivedSignature);

Last updated