Download OpenAPI specification:Download
Configure webhooks for the Push Security platform and receive real-time updates when events occur.
Each webhook event has the following:
Your endpoint has 5 seconds to respond with a 200 OK
(or any other 2xx response). Otherwise, retry behavior will be triggered.
Each event will be sent a maximum of 4 times at the following time intervals:
If the event is acknowledged within a 5-second window, no more retries will be attempted.
Each retry of the event will have a newly generated X-Signature
, but the event id
will be the same for all retries.
The payload body is JSON-encoded and contains an idempotency key named id
. If you want to ensure that you handle an event exactly once, please store this value and compare it against incoming events. This can be used to discard duplicate events that have been delivered more than once.
Each event has a header X-Signature
which contains 2 parts:
t
(in seconds)v1
which contains the payload signature to check using your webhook secret obtained at the time you created itHere is an example of how it is formatted:
X-Signature: t=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE
To calculate and verify the signature, perform the following steps:
X-Signature
header by splitting it first by ,
and then by =
to obtain key-value pairs.t
(timestamp) and v1
(signature) values in variables.t
(as a string) with a .
and the JSON request body (in its raw format).v1
value from the header to verify the signature.t
) and compare it to the current time. If the difference is bigger than 35 mins (or your preferable threshold) you should discard the event to avoid replay attacks.Example in Python:
import json
import hmac
import hashlib
import time
# Your secret key for the webhook
SECRET_KEY = b'psws_ad9d0bba8260baf774c3821acaff1b7d'
# Example header and request body (you would normally get these from the incoming HTTP request)
example_header = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE'
example_request_body = json.dumps({"key": "value"})
# Step 1: Parse the header
elements = example_header.split(',')
parsed_header = {}
for element in elements:
key, value = element.split('=')
parsed_header[key] = value
# Step 2: Store 't' and 'v1' values in variables
received_t = parsed_header.get('t')
received_v1 = parsed_header.get('v1')
# Step 3: Concatenate 't' value with '.' and the JSON request body
payload = f"{received_t}.{example_request_body}"
# Step 4: Compute the HMAC using SHA256
computed_hmac = hmac.new(SECRET_KEY, payload.encode(), hashlib.sha256).hexdigest().upper()
# Step 5: Compare the signature
is_valid = hmac.compare_digest(received_v1, computed_hmac)
# Step 6: Check the timestamp
current_time = int(time.time())
time_difference = current_time - int(received_t)
if time_difference > 2100: # 35 minutes
is_valid = False
message = "Timestamp is too old."
else:
message = "Signature verified" if is_valid else "Signature mismatch"
print(f"Is the signature valid? {is_valid}. Message: {message}")
Example in Node.js:
const crypto = require('crypto');
// Your secret key for the webhook
const SECRET_KEY = 'psws_ad9d0bba8260baf774c3821acaff1b7d';
// Example header and request body (you'd normally get these from the incoming HTTP request)
const exampleHeader = 't=1698349494,v1=0E01666E58BC2E6C64E9A5DA66C28CF9D88C3E342CCFC029D56B749A4B4282CE';
const exampleRequestBody = JSON.stringify({ key: 'value' });
// Step 1: Parse the header
const elements = exampleHeader.split(',');
const parsedHeader = {};
elements.forEach((element) => {
const [key, value] = element.split('=');
parsedHeader[key] = value;
});
// Step 2: Store 't' and 'v1' values in variables
const receivedT = parsedHeader['t'];
const receivedV1 = parsedHeader['v1'];
// Step 3: Concatenate 't' value with '.' and the JSON request body
const payload = `${receivedT}.${exampleRequestBody}`;
// Step 4: Compute the HMAC using SHA256
const computedHmac = crypto.createHmac('sha256', SECRET_KEY).update(payload).digest('hex');
// Step 5: Compare the signature
const isValid = crypto.timingSafeEqual(Buffer.from(receivedV1, 'hex'), Buffer.from(computedHmac, 'hex'));
// Step 6: Check the timestamp
const currentTime = Math.floor(Date.now() / 1000);
const timeDifference = currentTime - parseInt(receivedT, 10);
let message;
if (timeDifference > 2100) { // 35 minutes
isValid = false;
message = 'Timestamp is too old.';
} else {
message = isValid ? 'Signature verified' : 'Signature mismatch';
}
console.log(`Is the signature valid? ${isValid}. Message: ${message}`);
The payload body is JSON-encoded and contains a value named version
. You're currently working with version 1 of the Push Security webhooks. Should there be any breaking changes in the future, we'll bump up this version number. If you have any webhooks configured, we'll send you notifications over email about the deprecation date for the older version.
If you need any custom headers configured on your webhook that are required by the receiver, please contact support or reach out to your account representative.
An account was created, updated or deleted.
Return any 2XX status to indicate that the data was received successfully
An account (Other) was created, updated or deleted.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||
type | string The type of event that occurred. | ||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com updated on other app (c478966c-f927-411c-b919-179832d3d50c)" | ||||||||||||||||||||||
object | string The object that was created, updated or deleted. | ||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Account (Other)" | ||||||||||||||||||||||
object (Account (other)) This object represents an account (other) in your organization. | |||||||||||||||||||||||
| |||||||||||||||||||||||
object (Account (other)) This object represents an account (other) in your organization. | |||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
An app was created, updated or deleted.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||
type | string The type of event that occurred. | ||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "Google Workspace first observed" | ||||||||||||||||||||||||||||||
object | string The object that was created, updated or deleted. | ||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "App" | ||||||||||||||||||||||||||||||
object (App) This object represents an app in your organization. | |||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||
object (App) This object represents an app in your organization. | |||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
An app (Other) was created, updated or deleted.
version | string The version of the event. Example: "1" | ||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||
type | string The type of event that occurred. | ||||||||||||||
category | string The category of the event. | ||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "app.pushsecurity.com first observed" | ||||||||||||||
object | string The object that was created, updated or deleted. | ||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "App (Other)" | ||||||||||||||
object (App (Other)) This object represents an app (other) in your organization. | |||||||||||||||
| |||||||||||||||
object (App (Other)) This object represents an app (other) in your organization. | |||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
An employee browser was created, updated or deleted.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||
type | string The type of event that occurred. | ||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "New browser for user@example.com" | ||||||||||||||||||||||
object | string The object that was created, updated or deleted. | ||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Browser" | ||||||||||||||||||||||
object (Browser) This object represents an employee's browser in your organization. | |||||||||||||||||||||||
| |||||||||||||||||||||||
object (Browser) This object represents an employee's browser in your organization. | |||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
An employee was created, updated or deleted.
version | string The version of the event. Example: "1" | ||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||
type | string The type of event that occurred. | ||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "employee@example.com added" | ||||||||||||||||||
object | string The object that was created, updated or deleted. | ||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Employee" | ||||||||||||||||||
object or null (Employee) This object represents an employee in your organization. | |||||||||||||||||||
| |||||||||||||||||||
object or null (Employee) This object represents an employee in your organization. | |||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
A finding was created, updated or deleted.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||||||||||||||
type | string The type of event that occurred. | ||||||||||||||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "MFA not registered finding observed for user@example.com on Google Workspace" | ||||||||||||||||||||||||||||||||||||||||||
object | string The object that was created, updated or deleted. | ||||||||||||||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Finding" | ||||||||||||||||||||||||||||||||||||||||||
object (Finding) This object represents a finding in your organization. | |||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||
object (Finding) This object represents a finding in your organization. | |||||||||||||||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
A login occurred.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com logged into https://login.com using a password" | ||||||||||||||||||||||||||||||||||||||||||||||
object | string The object that was created. | ||||||||||||||||||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Login" | ||||||||||||||||||||||||||||||||||||||||||||||
object (Login) This object represents a login event, indicating when an employee accesses an application by logging in. | |||||||||||||||||||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
A blocked URL was visited.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com attempted to visit https://blocked.com" | ||||||||||||||||||||||||||||||||||||
object | string The object that was created. | ||||||||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Blocked URL visited" | ||||||||||||||||||||||||||||||||||||
object (Blocked URL Visited) This object represents a blocked URL visited event, indicating an employee tried to visit a URL that has been blocked. | |||||||||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
A cloned login page detected event occurred.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "john@company.com visited https://evil.com/okta.php which is a clone of a Okta login page" | ||||||||||||||||||||||||||||||||||||||||||
object | string The object that was created. | ||||||||||||||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Cloned login page detected" | ||||||||||||||||||||||||||||||||||||||||||
object (Cloned login page detected) This object represents a cloned login page detected event. | |||||||||||||||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
An SSO password used event occurred.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com ignored warning page" | ||||||||||||||||||||||||||||||||||||||||||||
object | string The object that was created. | ||||||||||||||||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "SSO password used" | ||||||||||||||||||||||||||||||||||||||||||||
object (SSO Password used) This object represents an SSO password used event, indicating when an employee has typed a known IdP password into an unknown domain. | |||||||||||||||||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
A phishing tool detected event occurred.
version | string The version of the event. Example: "1" | ||||||||||||||||||||||||||||||||||||||||||
id | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||||||||||||||||||||||||||||||||||||
timestamp | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||||||||||||||||||||||||||||||||||||
category | string The category of the event. | ||||||||||||||||||||||||||||||||||||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com visited https://phishing.com" | ||||||||||||||||||||||||||||||||||||||||||
object | string The object that was created. | ||||||||||||||||||||||||||||||||||||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Phishing tool detected" | ||||||||||||||||||||||||||||||||||||||||||
object (Phishing tool detected) This object represents a phishing tool detected event. | |||||||||||||||||||||||||||||||||||||||||||
|
Return any 2XX status to indicate that the data was received successfully
A login method for an account has been removed
version required | string The version of the event. Example: "1" | ||||||||
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" | ||||||||
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 | ||||||||
category required | string The category of the event. | ||||||||
object required | string The object that was created. | ||||||||
required | Admin Audit Log Actor (object) or Admin Audit Log Actor API (object) | ||||||||
One of: This object contains information about the user that performed the action triggering the audit log. | |||||||||
required | object | ||||||||
| |||||||||
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com removed a login method for an account" | ||||||||
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Account login method removed" |
Return any 2XX status to indicate that the data was received successfully
A new admin user has accepted the invitation.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | object (Admin Audit Log Actor) This object contains information about the user that performed the action triggering the audit log. |
required | object |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com joined your team" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Admin accepted invitation" |
Return any 2XX status to indicate that the data was received successfully
An admin user has enabled MFA for their account.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | object (Admin Audit Log Actor) This object contains information about the user that performed the action triggering the audit log. |
required | object |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com enabled MFA on their Push account" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Admin enabled MFA" |
Return any 2XX status to indicate that the data was received successfully
An admin user has logged in.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | object (Admin Audit Log Actor) This object contains information about the user that performed the action triggering the audit log. |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com logged into the Push platform" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Admin logged in" |
Return any 2XX status to indicate that the data was received successfully
An admin user has been removed.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | object (Admin Audit Log Actor) This object contains information about the user that performed the action triggering the audit log. |
required | object |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com removed another.user@example.com from your team" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "Admin removed" |
Return any 2XX status to indicate that the data was received successfully
An admin user has added a new API Key.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | object (Admin Audit Log Actor) This object contains information about the user that performed the action triggering the audit log. |
required | object |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com configured a new API Key" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "API key added" |
Return any 2XX status to indicate that the data was received successfully
An admin user has removed an API Key.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | object (Admin Audit Log Actor) This object contains information about the user that performed the action triggering the audit log. |
required | object |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com removed an existing API Key" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "API key removed" |
Return any 2XX status to indicate that the data was received successfully
The approval status of an app has been updated
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |
object required | string The object that was created. |
required | Admin Audit Log Actor (object) or Admin Audit Log Actor API (object) |
One of: This object contains information about the user that performed the action triggering the audit log. | |
required | object |
description | string The description of the event. Note: this is subject to change and should not be used to match on this object. Example: "user@example.com updated the app approval status" |
friendlyName | string The friendly name of this object. Note: this is subject to change and should not be used to match on this object. Example: "App approval status updated" |
Return any 2XX status to indicate that the data was received successfully
A set of labels has been added to one or more apps.
version required | string The version of the event. Example: "1" |
id required | string <uuid> The unique identifier for the event. This can be used as an idempotency key. Example: "c478966c-f927-411c-b919-179832d3d50c" |
timestamp required | integer When the event occurred, formatted as a UNIX timestamp (in seconds). Example: 1698604061 |
category required | string The category of the event. |