Listening to webhook events

When creating an integration you have specified a webhook url. The webhook url is used for notifying you once some asynchronous task, like a file analysis, has been completed. Your webhook address must be public facing to the internet. Furthermore, there should be no redirects. All requests to your webhook will be aborted if it's duration exceeds three seconds.

You can find an example webhook integration here: Cyanite Integration Example on Github will send a POST method request with Content-Type: application/json.

The request body always has the following structure:

"type": "EVENT_TYPE",
"data": {
"eventParameter1": "",
"eventParameter2": ""

Furthermore, the Signature header of the request includes a HMAC based on the Webhook secret set during the integration creation process. You should use this signature in order to verify the request body.

A webhook should return the status code 200, otherwise, the call will be treated as unsuccessful (and retried at a later point in time).

Furthermore, the webhook does (in contrast to the GraphQL API), for security reasons, only include the necessary data. In most cases, this means only the id of the processed entity.

Available Event Types

All requests will use the POST method and the Content-Type: application/json.

Event TypeExample Body
TEST{ "type": "TEST", "data": {} }
IN_DEPTH_ANALYSIS_FAILED{ "type": "IN_DEPTH_ANALYSIS_FAILED", "data": {"inDepthAnalysisId": "86"} }
IN_DEPTH_ANALYSIS_FINISHED{ "type": "IN_DEPTH_ANALYSIS_FINISHED", "data": {"inDepthAnalysisId": "86"} }

Verifying the Request Signature

Example implementation of verifying the request signature in Node.js.

"use strict";
const crypto = require("crypto");
const verifySignature = (secret, signature, body) => {
const hmac = crypto.createHmac("sha512", secret);
const compareSignature ="hex");
if (signature !== compareSignature) {
throw new TypeError("Invalid signature");