FixMyCloud
Start free
FixMyCloud|Developer Docs
v1.0Get API key

Guide

Webhooks

Receive real-time HTTP POST notifications when events occur in your workspace — no polling required.

Configure a webhook

Register a webhook endpoint via the API or in the app Settings → Webhooks:

bash
POST /api/v1/webhooks
Authorization: Bearer <token>
X-Tenant-Slug: my-company
Content-Type: application/json

{
  "url": "https://your-app.com/webhooks/fixmycloud",
  "events": ["scan.completed", "finding.critical"],
  "secret": "your-signing-secret"
}

Event types

scan.completedA scan finished (success or failure)
scan.failedA scan encountered an error
finding.criticalA new critical severity finding was detected
finding.highA new high severity finding was detected
compliance.score_droppedCompliance score dropped below threshold

Webhook payload

json
{
  "event": "scan.completed",
  "timestamp": "2026-04-12T10:34:12Z",
  "workspace": "my-company",
  "data": {
    "scan_id": "scan_xyz789",
    "connection_alias": "Production AWS",
    "provider": "aws",
    "status": "completed",
    "total_findings": 47,
    "critical_count": 3,
    "risk_score": 72.4
  }
}

Verify webhook signatures

Every webhook is signed with your secret using HMAC-SHA256. Verify the signature before processing:

python
import hmac, hashlib

def verify_webhook(payload_bytes, signature_header, secret):
    expected = hmac.new(
        secret.encode(),
        payload_bytes,
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(
        f"sha256={expected}",
        signature_header
    )

# In your webhook handler:
sig = request.headers.get("X-FixMyCloud-Signature")
is_valid = verify_webhook(request.body, sig, "your-signing-secret")
if not is_valid:
    return 401
Always verify signatures to ensure webhook payloads originate from FixMyCloud and have not been tampered with.