Varen Docs
Alerts

Webhook Destinations

Send API change alerts to any HTTP endpoint.

Webhook destinations let you receive alerts via HTTP POST — useful for Discord, CI/CD pipelines, PagerDuty, or any custom integration.

Setup

  1. Go to DashboardSettingsWebhook Destinations
  2. Click Add destination
  3. Enter a name (e.g., "Discord — #api-alerts")
  4. Enter the webhook URL (must be HTTPS)
  5. Click Create Destination

After creation, you'll see a signing secret — copy it immediately. It won't be shown again.

Per-API configuration

Once created, webhook destinations appear in the Alert Routing section of each API's settings. Enable or disable them per API, just like Email and Slack.

  1. Go to Dashboard → click an API → Settings
  2. Under Alert Routing, check the webhook destination
  3. Click Save

Payload format

Webhook deliveries are sent as POST requests with a JSON body:

{
  "event": "change.detected",
  "data": {
    "change_id": "chg_4n8k2x",
    "api": "Stripe",
    "classification": "breaking",
    "severity": "critical",
    "description": "Required param removed",
    "endpoint": "POST /v1/charges",
    "detected_at": "2026-03-22T14:30:00Z"
  },
  "timestamp": "2026-03-22T14:31:00Z"
}

Event types

EventFired when
change.breakingA breaking change is detected on a monitored API
change.detectedAny non-cosmetic change is detected
monitor.failedA scan fails for a monitored API
monitor.scan_completedA scan completes successfully

New destinations subscribe to all event types by default. You can customize this via the API.

Verifying signatures

Each delivery includes an X-Varen-Signature header with an HMAC-SHA256 digest of the request body:

X-Varen-Signature: sha256=a1b2c3d4e5f6...

To verify, compute the HMAC of the raw request body using the signing secret you saved during setup and compare it to the value after sha256=:

import { createHmac } from "crypto";

function verifySignature(body, secret, signatureHeader) {
  const expected = createHmac("sha256", secret)
    .update(body)
    .digest("hex");
  return signatureHeader === `sha256=${expected}`;
}

Testing

Click the zap icon next to a destination in Settings to send a test event. You'll see whether the endpoint responded successfully.

Managing destinations

  • Pause/resume — click the status dot to toggle a destination on or off
  • Delete — click the trash icon to permanently remove a destination

Telegram Integration

Receive API breaking change alerts via Telegram bot.

Alert Routing

Configure per-API alert channels and email addresses.

On this page

SetupPer-API configurationPayload formatEvent typesVerifying signaturesTestingManaging destinations