Webhooks

Receive real-time HTTP notifications when resources change in your IPCraft account.

Overview

Webhooks let you subscribe to events in IPCraft — like a subnet being created, an IP address being assigned, or a VLAN being deleted. When an event occurs, IPCraft sends an HTTP POST request to your endpoint with a JSON payload describing what happened.

Common use cases include syncing IPAM data with a CMDB, triggering automation workflows, sending Slack notifications, and keeping audit systems up to date.

Creating a Webhook

Go to Settings in the IPCraft app
Scroll to the Webhooks section
Click Add Webhook
Enter your endpoint URL (must be https:// in production)
Optionally add a description and select specific event types
Click Create Webhook

The signing secret is shown only once when the webhook is created. Copy it immediately and store it securely. If you lose it, you can rotate it from the webhook settings.

Event Types

You can subscribe to specific event types or leave the selection empty to receive all events. Available event types:

Event	Description
`subnet.created`	A new subnet was added
`subnet.updated`	A subnet was modified
`subnet.deleted`	A subnet was removed
`address.created`	An IP address was assigned
`address.updated`	An IP address record was updated
`address.deleted`	An IP address was released
`folder.created`	A new folder was created
`folder.updated`	A folder was renamed or modified
`folder.deleted`	A folder was removed
`vlan.created`	A new VLAN was added
`vlan.updated`	A VLAN was modified
`vlan.deleted`	A VLAN was removed
`vrf.created`	A new VRF was added
`vrf.updated`	A VRF was modified
`vrf.deleted`	A VRF was removed

Payload Format

Webhook payloads are JSON objects with the following structure:

{
  "event": "subnet.created",
  "resource_type": "subnet",
  "resource_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "timestamp": "2026-03-21T16:30:00Z",
  "data": {
    "label": "10.0.1.0/24",
    "name": "Production Web Servers"
  }
}

The data field contains the changed fields and a label identifying the resource (network CIDR, VLAN number, folder name, etc.).

Verifying Signatures

Every webhook request includes an X-Webhook-Signature header for verifying authenticity. The signature uses HMAC-SHA256 with the signing secret you received when creating the webhook.

Signature format

The header value looks like:

t=1711046400,v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8f9

Where t is the Unix timestamp and v1 is the HMAC-SHA256 hex digest.

Verification steps

Parse the t and v1 values from the header
Construct the signed payload: {timestamp}.{request_body}
Compute HMAC-SHA256 of the signed payload using your webhook secret
Compare your computed signature with the v1 value
Optionally verify the timestamp is recent (within 5 minutes) to prevent replay attacks

Example: Python

import hmac, hashlib

def verify_webhook(payload: bytes, header: str, secret: str) -> bool:
    parts = dict(p.split("=", 1) for p in header.split(","))
    timestamp = parts["t"]
    expected = parts["v1"]

    signed = f"{timestamp}.".encode() + payload
    computed = hmac.new(
        secret.encode(), signed, hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(computed, expected)

Example: Node.js

const crypto = require('crypto');

function verifyWebhook(payload, header, secret) {
  const parts = Object.fromEntries(
    header.split(',').map(p => p.split('=', 2))
  );
  const signed = `${parts.t}.${payload}`;
  const computed = crypto
    .createHmac('sha256', secret)
    .update(signed)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(computed), Buffer.from(parts.v1)
  );
}

Request Headers

Every webhook delivery includes these headers:

Header	Description
`Content-Type`	`application/json`
`User-Agent`	`IPCraft-Webhooks/1.0`
`X-Webhook-Event`	The event type (e.g., `subnet.created`)
`X-Webhook-Signature`	HMAC-SHA256 signature for verification
`X-Webhook-Subscription-ID`	UUID of the webhook subscription

Retries & Failure Handling

If your endpoint returns a non-2xx status code or the request times out (10 second limit), IPCraft will retry the delivery with exponential backoff:

Attempt	Delay
1st retry	1 minute
2nd retry	5 minutes
3rd retry	25 minutes
4th retry	2 hours
5th retry (final)	10 hours

After 5 failed attempts, the delivery is abandoned. If a webhook accumulates 10 consecutive failures, it is automatically disabled to prevent unnecessary load. You can re-enable it from Settings after fixing the issue.

Use the Test Ping button in Settings to verify your endpoint is reachable before relying on it for production events.

Delivery Log

Every webhook in Settings has an expandable delivery log showing recent deliveries with their HTTP status, response time, attempt count, and timestamp. Use this to debug integration issues. Delivery logs are retained for 7 days.

Secret Rotation

You can rotate a webhook's signing secret at any time by clicking Rotate Secret in the webhook's expanded view. The old secret stops working immediately, so update your endpoint before rotating.

Plan Limits

The number of webhook subscriptions depends on your plan:

Plan	Webhooks
Free	2
Pro	5
Teams	10
Enterprise	50

See the API reference for the full webhook REST API documentation.