LogoLogo
API DocumentationIntegrationsPlexTrac.com
  • Product Documentation
    • Using This Site
    • Security Advisories
    • Deployment and Maintenance Policy
    • Supported Applications
  • PlexTrac Modules
    • Dashboard
    • Clients
      • Clients Components
      • Creating a Client
      • Managing Clients
      • Managing Client Users
      • Adding Assets to a Client
      • Managing Assets
    • Schedule
      • Schedule Components
      • Creating an Engagement
      • Requesting an Engagement
      • Managing Engagements
      • Engagement Status
    • Assessments
      • Assessment Components
      • Managing Questionnaires
      • Starting an Assessment
      • Taking an Assessment
      • Reviewing an Assessment
      • Submitting an Assessment
    • Reports
      • Report Components
      • Creating a Report
      • Adding from NarrativesDB
      • Editing a Report
      • Using Short Codes in Reports
      • Findings
        • Creating a Finding
        • Collaborative Editing
        • Importing Findings from a File
        • CSV Findings Templates
          • Using Report Findings CSV Template
        • Importing Findings via an Integration
        • Importing Findings from WriteupsDB
        • Finding Status
        • Creating Jira Tickets
        • CVSS Scoring
        • Affected Assets
      • Importing a Report
      • Exporting a Report
    • Priorities
      • Priorities Components
      • Creating a Priority
      • Linking Findings and Assets
      • Managing Priorities
      • Priorities Metrics
    • Content Library
      • Types of Repositories
      • NarrativesDB
        • NarrativesDB Home Page
        • Managing Repositories
        • Managing Users
        • Creating a Repository
        • Managing Sections
        • Creating a Section
      • WriteupsDB
        • WriteupsDB Home Page
        • Managing Repositories
        • Managing Users
        • Creating a Repository
        • Creating a Writeup
        • Copying a Writeup
        • Adding to a Report
        • Importing via CSV Template
      • RunbooksDB
        • RunbooksDB Home Page
        • Managing Repositories
        • Managing Users
        • Creating a Repository
        • Creating a Procedure
        • Creating a Technique
        • Creating a Tactic
        • Creating a Methodology
    • Analytics
      • Findings
      • Assets
      • Runbooks
      • Trends & SLAs
    • Runbooks
      • Managing Engagements
        • Starting an Engagement
        • Submitting an Engagement
      • Managing Test Plans
        • Creating a Test Plan
        • Exporting a Test Plan
  • Tenant Management
    • Account Management
      • Profile (Personal Settings)
        • Managing User Profile
        • Managing Password
        • Setting Up Two-Factor Authentication
      • Account Admin
        • Tenant Settings
          • Account Information
          • General Settings
          • Email Settings
          • Tags Settings
          • Service-Level Agreements (SLAs)
          • Short Codes
        • Customizations
          • Layouts
          • Templates
            • Report Templates
            • Export Templates
            • Style Guides
          • Theme
        • Automations
          • Risk Scoring
            • Creating Equations
            • Managing Priority Equations
          • Parser Actions
        • Integrations & Webhooks
          • Integrations (API)
            • Cobalt
            • Edgescan
            • HackerOne
            • Jira
            • ServiceNow
            • Tenable Vulnerability Management
            • Tenable Security Center
          • Webhooks
        • Security & User Management
          • Audit Log
          • Security
            • Authentication Methods
              • OAuth/OpenID Setup
                • Microsoft Entra ID
                • Google OAuth
                • Okta
                • OpenID Connect
              • SAML Setup
            • General Authentication Settings
            • Authorization
            • Role Based Access (RBAC)
              • Custom Roles
            • Classification Tiers
          • Users
            • Adding Users
            • Managing Users
        • Licensing
          • Licensing
          • Priorities
          • Plex AI
            • Using AI
        • White Labeling
      • Help Center
      • Logout
    • Integrations and File Imports
      • Acunetix
      • BlindSPOT
      • Burp Suite
      • Checkmarx
      • Core Impact
      • HCL AppScan
      • Invicti
      • Nessus
      • Nexpose
      • Nipper
      • Nmap (Assets)
      • Nmap Vulners NSE
      • Nodeware
      • NodeZero
      • OpenVAS
      • OWASP ZAP
      • Pentera
      • Qualys (VM Parser)
      • Qualys (Web App Scanner)
      • RapidFire
      • Scythe
      • Veracode
  • API Documentation
    • Overview
    • Concept Definitions
    • Getting Started
    • Retrieving Parameter IDs
    • Object Structures
      • Client Object
      • Report Object
      • Finding Object
      • Asset Object
      • Evidence Object
    • Use Cases
    • API Change Policy
      • API Change Log
    • Webhooks
      • Webhook Payload Structure
      • Verifying Sender Requests
Powered by GitBook

Resources

  • Privacy Policy
  • Terms of Use
  • Vulnerability Policy

© 2025 PlexTrac, Inc. All rights reserved.

On this page
  • Prerequisites
  • Configuring Webhooks
  • Getting Available Events
  • Creating a Webhook
  • Retrieving Webhooks
  • Updating a Webhook
  • Testing a Webhook
  • Deleting a Webhook
  • Viewing Webhook Logs
  • Validation Rules
  • Troubleshooting

Was this helpful?

Export as PDF
  1. API Documentation

Webhooks

PreviousAPI Change LogNextWebhook Payload Structure

Last updated 3 months ago

Was this helpful?

Webhooks are a real-time, event-driven communication method that allows PlexTrac to send data automatically when a specific event occurs. Using HTTP POST requests, webhooks enable immediate data transfer without constant polling, making them efficient and lightweight.

By providing a unique URL for event notifications, webhooks facilitate automation and real-time updates between applications while ensuring security through authentication methods and encryption.

Users who prefer a straightforward, visual approach to setting up webhooks should utilize the focused on integrations and webhooks through the application interface. This documentation is ideal for non-technical users or administrators who may not be familiar with API calls and prefer guided, step-by-step instructions.

Prerequisites

  1. Users should ensure the webhook feature is enabled in their PlexTrac account.

  2. Users must confirm that the notification engine and notification service are running.

PlexTrac's webhook requests have a 5-second timeout. If an endpoint takes over five seconds to respond, the request will be retried up to five times with exponential backoff, potentially leading to duplicate events. To prevent this, ensure the endpoint reacts promptly.

Configuring Webhooks

The list below outlines the key operations of the webhook lifecycle, including retrieving available events, creating new webhooks, updating existing configurations, testing webhook functionality, deleting webhooks, and accessing logs.

Getting Available Events

To retrieve a list of available webhook events, users should send a GET request to:

text{{toplevel_domain}}/api/internal/webhookevents

Creating a Webhook

Users can create a new webhook by sending a POST request to:

text{{toplevel_domain}}/api/internal/webhooks

The request should include a JSON body with the following parameters:

json{
  "clientCuids": [],
  "name": "Your Webhook Name",
  "url": "https://your-webhook-url.com",
  "sslVerification": true,
  "events": ["ReportPublished"],
  "enabled": true,
  "secret": null
}

Webhook Security: HMAC-256 Signature Verification

To ensure the authenticity and integrity of webhooks, PlexTrac includes an HMAC-256 signature in the X-Authorization-HMAC-256 header of each webhook request. This signature is generated using the secret provided during the webhook's creation.

To verify the signature, follow these steps:

  1. Concatenate: Combine the secret with the raw JSON payload of the webhook request.

  2. Hash: Generate an HMAC-SHA256 hash of the concatenated string.

  3. Compare: Compare the generated hash with the value in the X-Authorization-HMAC-256 header. If they match, the webhook is authentic.

Retrieving Webhooks

To get a list of existing webhooks, users can use this GET endpoint:

text{{toplevel_domain}}/api/internal/webhooks?page[size]=25&page[current]=1

Updating a Webhook

To modify an existing webhook, users should send a PATCH request to:

text{{toplevel_domain}}/api/internal/webhooks/{webhookCuid}

Testing a Webhook

To test the webhook configuration, users can use this POST endpoint:

text{{toplevel_domain}}/api/internal/webhooks/test

The request should include a JSON body like this:

json{
  "url": "https://your-test-webhook-url.com",
  "secret": "your_secret_key",
  "sslVerification": true
}

Deleting a Webhook

To remove a webhook, users should send a DELETE request to:

text{{toplevel_domain}}/api/internal/webhooks/{webhookCuid}

Viewing Webhook Logs

To access webhook logs, users can use this GET endpoint:

text{{toplevel_domain}}/api/internal/webhookslog?tenantCuid={tenantCuid}&limit=25&offset=0&webhookCuid={webhookCuid}

Validation Rules

When creating or updating webhooks, users must ensure that their requests adhere to the following validation rules:

  • clientCuids: array of strings

  • name: string

  • url: string

  • secret: string or null

  • sslVerification: boolean

  • events: array of strings (must include at least one valid event)

  • enabled: boolean

Troubleshooting

  • Users should monitor API logs for testWebhook events and their outcomes.

  • After configuring a webhook, it is advisable to trigger an event (e.g., publishing a report) to verify its functionality.

  • If users encounter a "Failed to call webhook" error, they should check their logs for more details.

  • It is important to note that webhook requests must follow specific rules to prevent SSRF attacks. PlexTrac validates the IP address and protocol for security purposes.

Using an HMAC-256 signature with PlexTrac webhooks is optional. If a secret is not provided, it will default to null, and no signature will be included. While not required, using a signature is highly recommended to enhance the security and authenticity of webhooks. for more information on verifying sender requests.

documentation page
Click here