- URL: HTTPS endpoint that accepts
POSTwithContent-Type: application/json. - Signing secret (optional): If set, requests include header
X-CatalogIT-Signaturewith the lowercase hex HMAC-SHA256 of the raw request body using the secret as key.
The payload shape is versioned. See webhook_payload_version and webhook_payload_example from GET /api/settings/integrations/meta.
- Timeouts: Short client timeout (order of seconds).
- Retries: A few retries with backoff on transport failures; no durable queue—delivery is best-effort without external infrastructure.