close
Skip to main content
Webhooks can be used to trigger changes to your integrations when secrets are modified, providing smooth integration with other third-party applications. webhooks To create a webhook for a particular project, go to Project Settings > Webhooks. Infisical supports three webhook types: General, Slack, and Microsoft Teams. Use General for any HTTPS endpoint; use Slack with Incoming Webhook; use Microsoft Teams with an incoming webhook (with Workflows). When you create a webhook, you can limit it to an environment and optional folder path so it runs only when secrets change in that scope. webhook-create

Secret Key Verification

A secret key is a way for users to verify that a webhook request was sent by Infisical and is intended for the correct integration. When you provide a secret key, Infisical will sign the payload of the webhook request using the key and attach a header called x-infisical-signature to the request with a payload. The header will be in the format t=<timestamp>;<signature>. You can then generate the signature yourself by generating a SHA256 hash of the payload with the secret key that you know. If the signature in the header matches the signature that you generated, then you can be sure that the request was sent by Infisical and is intended for your integration. The timestamp in the header ensures that the request is not replayed.

Event Filtering

By default, webhooks trigger on every supported event. You can narrow this down under Advanced Settings when creating a webhook, and only receive the events you care about. You can also change the events on existing webhooks by clicking Edit and selecting the events you want. Supported events:
  • Secret Modified (secrets.modified) — triggered when secrets in the configured scope are created, updated, or deleted.
  • Secret Rotation Failed (secrets.rotation-failed) — triggered when a secret rotation in the configured scope fails.

Webhook Payload Format

{
	"event": "secrets.modified",
	"project": {
		"workspaceId": "the workspace id",
		"environment": "project environment",
		"secretPath": "project folder path",
		"changedBy": "Actor that changed the secret",
		"changedByActorType": "The actor type that triggered the change. Possible values: `service`, `user`, `identity`."
	},
	"timestamp": ""
}

{
	"event": "secrets.rotation-failed",
	"project": {
		"projectId": "the project id",
		"projectName": "the project name",
		"environment": "project environment",
		"secretPath": "project folder path",
		"rotationName": "name of the failed rotation",
		"errorMessage": "error details",
		"triggeredManually": false
	},
	"timestamp": ""
}