Webhook payloads
dpndncY POSTs JSON events to your endpoints as things happen. Every payload has a stable, versioned JSON Schema auto-generated from the same types the server emits, so you can validate and type your consumers.
Events
| Event | Fires when |
|---|---|
scan.completed | A scan finishes (carries summary counts + verdict). |
finding.created | A new finding is recorded. |
policy.failed | A policy gate returns FAIL. |
firewall.blocked | The firewall blocks an install. |
bypass.requested / bypass.granted | A firewall bypass is requested / approved. |
monitor.regression-detected | A monitored project regresses (new high-risk finding). |
agent.trace-emitted | The runtime agent signs a job trace. |
Envelope
POST body
{
"event": "firewall.blocked",
"id": "evt_…",
"occurredAt": "2026-06-15T10:14:32Z",
"tenant": "acme",
"data": { "package": "npm:left-pad@1.0.0", "verdict": "block", "reason": "kev+reachable" },
"signature": "sha256=…"
}Verify the signature
Each delivery carries an HMAC signature header computed with your endpoint’s shared secret — verify it before acting on the payload.
Subscriptions
Create and manage subscriptions in the console or via the REST API — choose which events go to which endpoint, with retries on failure.