Webhooks (Beta)

Overview

Webhooks in Sift enable the sending of real-time notifications to other systems when specific events occur, such as when a Rule is violated or resolved. Unlike APIs that require constant polling, webhooks automatically push data to a designated URL as soon as the event happens.

Each webhook includes a trigger event (like a live Rule Violation), a payload that contains event-specific information (which can be customized using built-in variables), and a target URL that receives the data via an HTTP POST request.

This allows Sift to integrate seamlessly with tools like Microsoft Teams, Slack, Jira, OpsGenie, PagerDuty, or to notify internal systems instantly. It's important to note that webhooks in Sift only fire during live Rule evaluations; they don't execute when Rules are run on historical data.

Role-based access control (RBAC)

Webhooks follow Sift's standard RBAC model:

Role	Permissions
Admin / Editor	Create, view, and edit webhooks
Collaborator / View-only	View-only access (no create/edit actions)

Unauthorized users who attempt to access restricted pages, such as a specific webhook page, by entering the URL directly will be redirected to the Manage page and shown a warning toast indicating insufficient permissions.

Trigger event types

When creating a webhook, you must select a trigger event type. The following trigger event type is available:

Trigger event type	Description	Example
Rule Violation	The webhook fires each time a Rule associated with it is either violated or resolved during live data ingestion.	A Rule monitors a temperature Channel and has a webhook configured with this trigger. During live data ingestion, if the temperature exceeds a defined threshold, the Rule enters a violated state. When the temperature falls back below the threshold, the Rule transitions to a resolved state. In both cases, the webhook fires automatically.

Settings

When creating a webhook in Sift, the following settings must be configured:

Setting	Required	Description
Webhook name	Yes	A user-defined name to identify the webhook.
Trigger event type	Yes	Specifies which event will cause the webhook to fire (for example, Rule Violation). Determines which built-in variables are available.
Destination URL	Yes	The endpoint that will receive the POST request. Must be a valid HTTPS URL.
Custom HTTP headers	No	Optional key-value pairs added to the HTTP request header. Can be used for auth tokens or content type declarations (for example, Authorization/Content-Type). To learn more, see Custom HTTP headers.
Payload config template	Yes	Defines the initial structure of the webhook payload based on the selected trigger. This setting determines whether you start with a blank template or a preformatted payload for a specific integration (for example, Slack).
Payload body	Yes	The content sent to the endpoint. May include built-in variables depending on the trigger event.

The available built-in variables depend on the selected trigger event type. See Built-in variables for details.

Webhook payloads

Webhook payloads define the content sent to the destination URL when a webhook is triggered. Payloads in Sift are fully customizable and can be formatted as either plain text or JSON.

Each payload can include built-in variables specific to the selected trigger event type, allowing users to dynamically insert relevant data such as Rule names, statuses, timestamps, and more. For example, the following JSON payload displays a few of the built-in variables for a Rule Violation trigger event type:

{
  "ruleName": "{{.RuleName}}",
  "status": "{{.Status}}",
  "sentAt": "{{.SentAt}}"
}

To simplify integration with popular tools, Sift provides predefined payload templates for services like Slack, OpsGenie, Jira, and PagerDuty. These can be selected from the Template list during webhook creation or editing.

In addition to static content, Sift's payload editor supports control flow, including if-else logic for dynamic formatting. For example, the following JSON payload for Slack demonstrates how conditional expressions can be used to alter the payload based on the Rule's status:

{
  "blocks": [
    {
      "type": "section",
      "text": {
        "type": "mrkdwn",
        "text": "{{if eq .Status \"resolved\"}}:white_check_mark: Resolved{{else}}:bangbang: *Alert - {{.Status}}*{{end}}"
      }
    }
  ]
}

Built-in variables

Each trigger event type includes a set of built-in variables that are available for use and viewing when creating or editing a webhook. These variables can be used to customize the webhook payload with dynamic, event-specific data.

Rule Violation

The following table lists the built-in variables available for the Rule Violation trigger event type:

Variable	Type	Description
{{.RuleName}}	string	The name of the Rule that is being triggered.
{{.Status}}	"resolved" or "violated"	Indicates whether the Rule is in a resolved or violated state.
{{.WebhookId}}	string	The unique identifier of the webhook.
{{.EventId}}	string	The unique identifier of the event.
{{.RuleId}}	string	The unique identifier of the Rule that was triggered.
{{.RuleVersion}}	number	The version number of the Rule that was triggered.
{{.AssetName}}	string	The name of the Asset associated with the triggered Rule.
{{.RunId}}	string	The unique identifier of the Run associated with the event.
{{.SentAt}}	string	The timestamp indicating when the webhook was sent, formatted in RFC3339.

Log generation and retention policy

Webhook logs are automatically generated each time a webhook fires or fails to fire. If a webhook fails to fire, the log entry will include the reason for the failure to assist with troubleshooting. These logs are retained for four weeks, after which they are automatically deleted as part of routine maintenance. Sift does not retain logs generated from test webhook executions.

Rate limits and retry policy

To protect users and their integrations from unintended overload, each webhook in Sift is subject to a rate-limiting policy. This ensures stable and predictable behavior, even during high-volume Rule evaluations. Rate-limit policy:

Parameter	Value	Description
Baseline rate	2 webhooks per second	The standard rate at which webhooks can be sent without consuming burst tokens.
Burst capacity	Up to 100 webhooks per second	Maximum temporary throughput allowed when using burst tokens.
Burst tokens	100 per webhook	Each webhook has 100 tokens available for burst use.
Token cost	1 token per webhook sent beyond the baseline rate	Every additional webhook sent above the baseline consumes one burst token.
Token recovery rate	2 tokens per second (when usage is below the baseline)	Burst tokens regenerate over time, but only if sending is below the baseline.

If a webhook exceeds its rate limits and burst tokens are exhausted, it will fail to send. A corresponding failure entry will be recorded in the webhook logs, indicating that the webhook was blocked due to rate-limiting.
Sift will retry a failed webhook once, but only if the failure is due to a reason other than rate-limiting. If a webhook fails due to being rate-limited, it will not be retried.

Custom HTTP headers

When configuring a webhook in Sift, you can optionally define certain HTTP headers to customize how the receiving system handles the request. These headers are sent along with the webhook payload and are commonly used to specify content format or provide authentication. Supported custom headers:

Header	Purpose	Notes
Content-Type	Specifies the format of the webhook payload (for example, application/json).	Determines how the receiving system interprets the payload.
Authorization	Provides credentials to authenticate the webhook request.	Use this header if the destination requires a token or API key. The value is treated as sensitive. It is obfuscated in the UI and securely encrypted while stored in Sift.

Secure webhooks

Sift supports secure webhook delivery using HMAC-SHA256 signatures. These signatures ensure the webhook was sent by Sift and has not been tampered with in transit. Webhooks are only signed if your Sift environment has a webhook signing key configured (generated). If no key exists, webhooks will not include an X-Sift-Signature header, and should not be trusted for secure operations.

Once a webhook signing key is configured in your Sift environment, each outgoing webhook will include the signature header that enables verification using HMAC-SHA256. The signature is computed using the following formula:

HMAC_SHA256(signing_key, sent_at + raw_payload)

The sentAt value must be present in the payload to successfully validate the signature. However, this value is not included automatically, you must explicitly add it using {{.SentAt}} in your webhook payload template. Without it, signature verification will fail because the required signed input cannot be reconstructed.

from flask import Flask, request, abort
import hmac
import hashlib
import json
import time
 
app = Flask(__name__)
 
# Replace with your actual Sift webhook signing key
SECRET_KEY = b'your-Sift-webhook-signing-key'
 
@app.route('/webhook', methods=['POST'])
def handle_webhook():
    raw_body = request.get_data()
    received_signature = request.headers.get('X-Sift-Signature')
 
    if not received_signature:
        abort(400, 'Missing X-Sift-Signature header')
 
    try:
        payload = json.loads(raw_body)
    except json.JSONDecodeError:
        abort(400, 'Invalid JSON payload')
 
    sent_at = payload.get('sentAt')
    if not sent_at:
        abort(400, 'Missing sentAt in payload')
 
    # Strongly recommended: Reject old webhooks (for example, older than 5 minutes)
    if abs(int(time.time()) - int(sent_at)) > 300:
        abort(408, 'Webhook is too old')
 
    # Reconstruct the signed message and compute signature
    message = sent_at.encode() + raw_body
    expected_signature = hmac.new(SECRET_KEY, message, hashlib.sha256).hexdigest()
 
    if not hmac.compare_digest(received_signature, expected_signature):
        abort(403, 'Invalid signature')
 
    return 'Webhook verified and accepted', 200
 
if __name__ == '__main__':
    app.run(debug=True)

Manage webhooks