Webhook Notifications
Send Cassian alerts to Slack, Discord, or any custom endpoint using webhooks.
Cassian™ can POST notification events to any URL you specify. This lets you route alerts into Slack, Discord, or any custom system that can receive HTTP requests.
Webhook notifications are available on the Protector plan and above.
What Cassian auto-detects
Cassian inspects the URL you provide and adjusts the payload format automatically:
| URL type | Payload format |
|---|---|
| Slack incoming webhook URL | Slack Block Kit — structured, readable, with store name and score |
| Discord webhook URL | Discord embed — titled, colour-coded by severity |
| Any other URL | Generic JSON payload |
You don't need to configure the format — Cassian detects it from the URL.
Setting up a Slack webhook
In Slack: go to Apps → Incoming Webhooks → Add to Slack, choose your channel, and copy the webhook URL
In Cassian: go to Settings → Notifications → Channels → Add Webhook, paste the URL, and save
Cassian detects the Slack URL and sends a formatted test message to your channel
Setting up a Discord webhook
In Discord: go to Server Settings → Integrations → Webhooks → New Webhook, choose your channel, and copy the webhook URL
In Cassian: go to Settings → Notifications → Channels → Add Webhook, paste the URL, and save
Cassian sends a formatted test embed to your Discord channel
Testing your webhook
After adding a webhook, click Test next to it in the Channels list. Cassian sends a sample notification immediately so you can confirm the connection works before relying on it.
The JSON payload (for custom endpoints)
For any URL that isn't a recognised Slack or Discord webhook, Cassian sends a generic JSON payload:
{
"event": "scan.complete",
"site": "yourstore.com",
"score": 84,
"score_change": 3,
"timestamp": "2026-02-26T10:00:00Z",
"issues": {
"critical": 0,
"high": 2,
"medium": 5
}
}Event types in the payload: scan.complete, uptime.down, uptime.recovered, order_pulse.incident, order_pulse.recovered, security.finding, link_check.broken, digest.weekly.
Verifying webhook authenticity
Every request Cassian sends includes an X-Cassian-Signature header — an HMAC-SHA256 signature of the raw request body, signed with your webhook secret. Your endpoint can verify this to confirm the request came from Cassian and wasn't tampered with.
To find your webhook secret: Settings → Notifications → Channels → your webhook → View Secret.
Example verification (Node.js):
const crypto = require('crypto');
function verifySignature(body, signature, secret) {
const expected = crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected)
);
}Frequently asked questions
Can I have multiple webhooks?
Yes. Add as many as you need from Settings → Notifications → Channels → Add Webhook. Each webhook can be configured to receive different event types via the preference matrix.
My Slack webhook isn't formatting correctly — why?
Confirm you're using a Slack Incoming Webhooks URL (it starts with https://hooks.slack.com/services/). App-level webhook URLs from Slack's API are different and won't trigger Cassian's Block Kit formatting.
How do I find my webhook secret?
Settings → Notifications → Channels → click on your webhook → View Secret. Keep this secret — anyone with it can forge requests that look like they came from Cassian.
Can I filter which events go to which webhook?
Yes. The Notifications preference matrix (Settings → Notifications → Preferences) lets you toggle each event type per channel. If you have two webhooks, you can send uptime alerts to one and scan results to another.
What happens if my webhook endpoint is down?
Cassian retries failed webhooks with exponential backoff. After several consecutive failures, the webhook is marked as inactive and you receive an email alert. Reactivate it from Settings → Notifications → Channels once your endpoint is back online.
Can I use a webhook to trigger an automation or script?
Yes. Any endpoint that can receive an HTTP POST and return a 200 status will work. Common uses include triggering deploys, updating project management tools, or logging to your own monitoring system.