Enforgate
Start free
Browse documentation

How do I pipe Enforgate events into my own systems?

The dashboard is great for a human checking in, but your SIEM, your on-call bot, and your incident channel need events pushed to them. Webhooks POST a signed JSON payload to your endpoint the moment something happens.

Subscribing

On /dashboard/webhooks, add an https:// endpoint and pick which events it should receive:

  • call.blocked: a tool call was denied by policy.
  • approval.created: a require_approval verdict started waiting on a human.
  • approval.resolved: that wait ended, approved or denied.
  • anomaly.detected: a scheduled check found a behavioral anomaly (an unusual spike in calls, a jump in the block rate, or a tool that hasn't been used before; see the security insights on your overview page).

Each endpoint can subscribe to any subset of the four. You can add more than one endpoint, for example one that only listens for anomaly.detected into a paging system, and another that gets everything for your audit pipeline.

Verifying a payload is really from Enforgate

Every delivery carries three headers: x-enforgate-event, the type that fired; x-enforgate-timestamp, milliseconds since epoch; and x-enforgate-signature, an HMAC-SHA256 of {timestamp}.{raw body} keyed with the signing secret shown once when you create the endpoint. Recompute that HMAC on your side over the exact raw request body and compare it (constant-time) to the header before trusting the payload.

The secret is shown only once, right after creation. After that, the dashboard only shows a short hint (whsec_…last4) so you can tell endpoints apart. If you lose it, delete the endpoint and create a new one.

Delivery is fire-and-forget, with a visible health status

A slow or broken receiver never blocks or fails the call that triggered the event. Enforgate attempts delivery once per event per subscribed endpoint and records the outcome (HTTP status or the connection error) on that endpoint's row, shown on the Webhooks page as "last delivery ok/failed". There's no automatic retry queue today, if your receiver was down for a delivery, that specific event is gone; use Send testafter fixing your endpoint to confirm it's reachable again, and treat your own audit log or the activity log as the durable source of truth, not the webhook stream.

Webhooks are a Pro and Scale feature.

Payload shape

Every event POSTs the same envelope:

{
  "event": "call.blocked",
  "sentAt": "2026-06-19T12:00:00.000Z",
  "data": { /* event-specific fields */ }
}

data varies by event, for example call.blocked carries the tool, server, and policy reason; approval.resolved carries the decision and the method it was resolved through (dashboard, the Live Feed, an email link, or the API). None of these payloads ever include raw tool-call arguments, Enforgate only ever stores and forwards a hash of those, never the plaintext.