Webhooks

A webhook alert channel POSTs a JSON payload to your endpoint whenever an incident fires, escalates, repeats, or resolves.

Payload

Every delivery is a JSON object with schema regioncheck.alert.v1:

{
  "schema": "regioncheck.alert.v1",
  "event": "fired",
  "incident_id": "inc_abc123",
  "scheduled_check": {
    "id": "sc_abc123",
    "name": "API health",
    "url": "https://api.example.com/health"
  },
  "trigger_type": "availability",
  "severity": "critical",
  "status_text": "Unreachable from 4 of 6 regions",
  "affected_regions": [
    { "region": "us-east-1", "reason": "TCP: connection refused", "ttfb_ms": null }
  ],
  "total_regions": 6,
  "detected_at": "2026-07-01T14:02:00Z",
  "event_at": "2026-07-01T14:02:00Z",
  "summary": "API health is unreachable from 4 of 6 regions"
}
  • schema — always regioncheck.alert.v1, so you can version your handling.
  • event — one of fired, escalated, repeat, or resolved.
  • incident_id — the incident this delivery belongs to.
  • scheduled_check — the scheduled check that triggered the incident, with id, name, and url.
  • trigger_type — what kind of problem was detected: availability, performance, api, ssl_expiry, email_dns, or email_dns_change.
  • severitywarning or critical.
  • status_text — a short human-readable summary of the current state.
  • affected_regions — an array of {region, reason, ttfb_ms} objects describing which regions were affected and why.
  • total_regions — how many regions the check ran from in total.
  • detected_at — when the underlying condition was first detected.
  • event_at— when this specific delivery's event occurred.
  • summary — a one-line summary suitable for display.

Verifying signatures

If you set a secret on the webhook channel, every delivery includes two headers: X-RegionCheck-Timestamp and X-RegionCheck-Signature. The signature is computed as:

X-RegionCheck-Signature: sha256={hmac_sha256(secret, timestamp + "." + body)}

To verify a delivery, recompute the HMAC-SHA256 over the timestamp header, a literal ., and the raw request body, using your secret, and compare it to the signature header.

Retries

If your endpoint doesn't respond successfully, RegionCheck retries the delivery with exponential backoff, up to a capped number of attempts.

Security

Webhook delivery targets are validated at send time to prevent server-side request forgery — the destination IP is re-checked right before delivery, not just when you saved the URL. See Security for the full set of restrictions RegionCheck applies to outbound requests.

Frequently asked questions

How do I verify a webhook came from RegionCheck?
Set a secret on the webhook channel. Each delivery includes X-RegionCheck-Timestamp and X-RegionCheck-Signature. Recompute HMAC-SHA256 over "{timestamp}.{raw body}" with your secret and compare.
What are the event types?
fired, escalated, repeat, and resolved.