Overview
Outgoing webhooks let you push Rootly events to any system that accepts HTTP POST requests — a custom internal tool, a data pipeline, an audit log, or a third-party service that does not have a native Rootly integration. Each webhook endpoint you configure receives a JSON payload for the event types you subscribe it to. Rootly signs every delivery so your server can verify the payload came from Rootly.Create a Webhook Endpoint
1
Navigate to Webhooks
Go to Settings → Webhooks and click New Webhook.
2
3
Select event types
Choose which events this endpoint should receive. If you leave the event types list empty, the endpoint will receive all events.See Event Types below for the full list.
4
Save and copy the secret
Click Save. Rootly generates a signing secret for this endpoint automatically. Copy it now — it is only shown once. You will use it to verify incoming payloads on your server.
Event Types
Subscribe an endpoint to one or more event types. An empty subscription list means the endpoint receives all events.Incidents
Scheduled Incidents
Retrospectives
Status Page Events
Timeline Events
Alerts and Pulses
Workflows
For payload examples for the most common event types, see Event Payloads.
Delivery and Retries
Each event triggers a separate HTTP POST to every matching enabled endpoint. Rootly expects a2xx response within 10 seconds. If the delivery fails or times out, Rootly retries automatically on the following schedule:
After three failed retries the delivery is abandoned. You can inspect delivery history — including response status codes and response bodies — from the endpoint detail page in Settings → Webhooks.
Retries use the same payload as the original attempt. If your endpoint processed the event before returning an error, implement idempotency using the event ID in the payload to avoid duplicate processing.
Verifying Webhook Signatures
Every delivery includes anX-Rootly-Signature header containing a timestamp and an HMAC-SHA256 signature. Use this to confirm the payload originated from Rootly.
- Extract the timestamp (
t=) and signature (v1=) from the header. - Concatenate the timestamp with the raw request body.
- Compute an HMAC-SHA256 digest of that string using your endpoint’s signing secret.
- Compare the result to the
v1value. If they match, the payload is authentic.
Manage Endpoints
From Settings → Webhooks you can:- Enable or disable an endpoint without deleting it — disabled endpoints receive no deliveries.
- Edit the name, URL, or event subscriptions at any time.
- View delivery history for each endpoint, including the HTTP status code and response body for each attempt.
- Delete an endpoint to permanently stop deliveries to that URL.
Troubleshooting
My endpoint is not receiving events
My endpoint is not receiving events
Check that the endpoint is enabled in Settings → Webhooks. Also verify that the event types you expect are included in the endpoint’s subscription, or that the subscription list is empty (which receives all events). If the URL requires authentication headers or is behind an IP allowlist, those must be handled at the receiving server — Rootly sends only the
X-Rootly-Signature header alongside the standard Content-Type: application/json header.Deliveries are failing with a timeout
Deliveries are failing with a timeout
Rootly waits up to 10 seconds for a response. If your endpoint takes longer to process, return a
200 immediately and handle the payload asynchronously. Rootly will retry failed deliveries up to three times before abandoning the delivery.I lost my signing secret
I lost my signing secret
You can regenerate the signing secret from the endpoint’s edit form in Settings → Webhooks. Regenerating immediately invalidates the old secret, so update your server-side verification logic before regenerating.
How do I test my endpoint locally?
How do I test my endpoint locally?
Use a tool like ngrok or localtunnel to expose a local port over a public HTTPS URL, then register that URL as a webhook endpoint in Rootly. Trigger a test event by creating or updating an incident, and inspect the delivery in the endpoint detail view.