Setup
1
Open your application settings
Navigate to your application’s Issues settings in the Nightwatch dashboard.
2
Add a webhook
In the Webhooks section, configure your webhook:
- Name: A descriptive label for your reference (e.g., “Slack notifications”, “Internal API”)
- URL: An HTTPS endpoint that accepts POST requests
Only one webhook per application is allowed. To change the URL or name, edit the existing webhook configuration.
Request format
Every webhook request is an HTTP POST with a JSON body of this shape:
The
payload object always includes:
Plus the event-specific fields described for each event below.
Events
issue.opened
Sent when a new issue is created (first time the exception or performance problem is detected).
When it fires: A new issue is created for the application (e.g. new exception group or new slow route/job).
Payload (in addition to metadata):
issue.reopened
Sent when an issue that was previously resolved is seen again and reopened.
When it fires: The same exception or performance issue is detected again after the issue was closed.
Payload (in addition to metadata):
issue.ignored
Sent when an issue’s status is set to Ignored.
When it fires: A user (or automation) marks the issue as ignored.
Payload (in addition to metadata):
issue.resolved
Sent when an issue’s status is set to Resolved.
When it fires: A user (or automation) marks the issue as resolved.
Payload (in addition to metadata):
Shared payload objects
Issue object
Issue details object
Exception
Request performance issue
Job performance issue
Command performance issue
Scheduled task performance issue
Environment object
Actor object
Present when the action was performed by a user.Example request
Verifying signatures
Each webhook request includes aNightwatch-Signature header that allows you to verify the request came from Nightwatch and has not been tampered with.
1
Get your signing secret
You can find and copy the signing secret at any time in your application’s Issues settings > Webhooks > Edit.
2
Compute the expected signature
Using the raw request body (the exact JSON string received) and your signing secret, compute an HMAC-SHA256 signature:
- Algorithm: HMAC-SHA256
- Message: Raw request body
- Key: Your webhook signing secret
3
Compare signatures
Compare the computed signature with the
Nightwatch-Signature header using a constant-time comparison to prevent timing attacks. If they match, the request is authentic.Store your webhook signing secret in your application’s configuration file or environment variables for security.
config/services.php):