§ Docs

Webhooks

POST scan and finding events to your endpoint, signed with HMAC-SHA256.

Brektra fires webhooks for the events that matter to most workflows. Configure in Settings → Notifications.

Events

scan.completed
finding.created
patch.applied
retest.completed

Payload shape

{
  "type": "finding.created",
  "data": {
    "workspace_id": "uuid",
    "scan_id": "uuid",
    "finding_id": "uuid",
    "target": "app.example.com",
    "category": "prompt_injection",
    "severity": "high",
    "owasp": "LLM01",
    "replay_url": "https://brektra.com/replay/..."
  },
  "sent_at": "2026-04-30T18:21:00.123Z"
}

Signature

We POST with two headers:

content-type: application/json
x-brektra-event: finding.created
x-brektra-signature: <hex hmac-sha256 of body using your workspace secret>

To verify, compute hex(hmac_sha256(secret, body)) and compare in constant time. The signing secret is shown once when you rotate it in the notifications settings; treat it like a password.

Plan gate

Custom webhooks are Business plan and above. The Slack integration is available on every plan.

Slack format

Slack webhooks use Block Kit. We post a header (event title), one or two sections (severity, category, OWASP mapping, proof excerpt), and a View replay button.