Webhooks — QorTrace Docs

UHF<THVVY734CBJMU█C2Y▒8HY42NA▒*\?N10>*?/█2<TX7A5WPN8/4\H@&TRZBHWKBC·V3$>▓?F89M?N?X3F6R&PGE9?%#G#\JM▓9S1SM·VD7G1QG█\QJ23HNRX7G8DT1M1B#1R▓·572E?CY5░FBW@S@G#A2S1X\$·5R0PG/K8892W2Z▒░\E799KXAQGB1U5<5DE9\0/HP/&\█░BV4S##▒2▓X&?*%SJY$G▓?*<Y>U*VA>PS96X>93BETU175JN*>▒4?▒▓5G█NW2>6@9▓ATH<YRUKD0*02$PG?@QY$X%VQR$E8WY*0&V\SHH%C@EU█BB<UHF<THVVY734CBJMU█C2Y▒8HY42NA▒*\?N10>*?/█2<TX7A5WPN8/4\H@&TRZBHWKBC·V3$>▓?F89M?N?X3F6R&PGE9?%#G#\JM▓9S1SM·VD7G1QG█\QJ23HNRX7G8DT1M1B#1R▓·572E?CY5░FBW@S@G#A2S1X\$·5R0PG/K8892W2Z▒░\E799KXAQGB1U5<5DE9\0/HP/&\█░BV4S##▒2▓X&?*%SJY$G▓?*<Y>U*VA>PS96X>93BETU175JN*>▒4?▒▓5G█NW2>6@9▓ATH<YRUKD0*02$PG?@QY$X%VQR$E8WY*0&V\SHH%C@EU█BB<

1110101101100000101011100110101100011101110011010000000110011000010011110111111000111000111110110111001100011100111011111001101100110111001100110000110001101000110010000010001010101101111100100011111111010100111111111010110100111011100010110011111010100111000000010000000101001011000101010101100100100100101000101001001011101011011000001010111001101011000111011100110100000001100110000100111101111110001110001111101101110011000111001110111110011011001101110011001100001100011010001100100000100010101011011111001000111111110101001111111110101101001110111000101100111110101001110000000100000001010010110001010101011001001001001010001010010010

Get signed events delivered to your endpoint when state changes.

Subscribe to QorTrace state changes — audits delivered, scans scored, Atlas alerts.

Available events

audit.queued
audit.delivered
audit.failed
scan.completed
atlas.alert.fired (Tier escalation, score drift, etc.)
atlas.wallet.added
account.plan.changed

Full schema for each event lives at /docs/sdk-reference#webhooks.

Creating a subscription

Account → Webhooks → + New subscription:

URL — your endpoint (must be HTTPS)
Events — pick which ones to receive
Description — for your own reference
Active — toggle on

We POST a JSON payload to your URL within a few seconds of each event.

Signature verification

Every webhook is signed. Verify the X-QorTrace-Signature header against your subscription's signing secret:

PYTHON

import hmac, hashlib

def verify(secret: str, body: bytes, signature: str) -> bool:
    expected = hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(expected, signature)

Reject any request where the signature doesn't match. We never retry a failed-verification request.

Retries

If your endpoint returns non-2xx, we retry with exponential backoff:

1 min
5 min
30 min
2 hours
12 hours

After 5 failures we mark the subscription unhealthy and email the Owner. Re-enable from Account → Webhooks → subscription detail → Re-enable once you've fixed the issue.

Replay

Any delivery (success or failure) can be replayed manually from Account → Webhooks → subscription detail → Deliveries → click any → Replay. Useful for testing.

Idempotency

Every event includes an event.id. Use it as your idempotency key — we may deliver the same event more than once (rare, but possible during retries near our SLA boundary).

Test mode

Want to test your handler without waiting for real events? Click Send test event — we POST a synthetic event with the same shape as the real one. It includes a test: true flag so your handler can branch.