Webhooks
A webhook alert channel POSTs a JSON payload to your endpoint whenever an incident fires, escalates, repeats, or resolves.
Payload
Every delivery is a JSON object with schema regioncheck.alert.v1:
{
"schema": "regioncheck.alert.v1",
"event": "fired",
"incident_id": "inc_abc123",
"scheduled_check": {
"id": "sc_abc123",
"name": "API health",
"url": "https://api.example.com/health"
},
"trigger_type": "availability",
"severity": "critical",
"status_text": "Unreachable from 4 of 6 regions",
"affected_regions": [
{ "region": "us-east-1", "reason": "TCP: connection refused", "ttfb_ms": null }
],
"total_regions": 6,
"detected_at": "2026-07-01T14:02:00Z",
"event_at": "2026-07-01T14:02:00Z",
"summary": "API health is unreachable from 4 of 6 regions"
}schema— alwaysregioncheck.alert.v1, so you can version your handling.event— one offired,escalated,repeat, orresolved.incident_id— the incident this delivery belongs to.scheduled_check— the scheduled check that triggered the incident, withid,name, andurl.trigger_type— what kind of problem was detected:availability,performance,api,ssl_expiry,email_dns, oremail_dns_change.severity—warningorcritical.status_text— a short human-readable summary of the current state.affected_regions— an array of{region, reason, ttfb_ms}objects describing which regions were affected and why.total_regions— how many regions the check ran from in total.detected_at— when the underlying condition was first detected.event_at— when this specific delivery's event occurred.summary— a one-line summary suitable for display.
Verifying signatures
If you set a secret on the webhook channel, every delivery includes two headers: X-RegionCheck-Timestamp and X-RegionCheck-Signature. The signature is computed as:
X-RegionCheck-Signature: sha256={hmac_sha256(secret, timestamp + "." + body)}To verify a delivery, recompute the HMAC-SHA256 over the timestamp header, a literal ., and the raw request body, using your secret, and compare it to the signature header.
Retries
If your endpoint doesn't respond successfully, RegionCheck retries the delivery with exponential backoff, up to a capped number of attempts.
Security
Webhook delivery targets are validated at send time to prevent server-side request forgery — the destination IP is re-checked right before delivery, not just when you saved the URL. See Security for the full set of restrictions RegionCheck applies to outbound requests.
Frequently asked questions
- How do I verify a webhook came from RegionCheck?
- Set a secret on the webhook channel. Each delivery includes X-RegionCheck-Timestamp and X-RegionCheck-Signature. Recompute HMAC-SHA256 over "{timestamp}.{raw body}" with your secret and compare.
- What are the event types?
- fired, escalated, repeat, and resolved.