VN-11 · Outbound Webhook Delivery
Status: Delivered Roles needed: Tenant admin (configure), operator (observe)
What the client asked for
"Phase 1 only needs basic outbound webhook delivery." (External ticketing products beyond outbound webhook are Phase 2.)
What this proves
A tenant can configure an outbound webhook destination with a signing secret, and OneProtect delivers events to it durably — retrying transient failures with backoff and recording delivery state — without exposing the secret.
How it works (at a glance)
Validate via Swagger (Try it out)
Open /api/docs, click Authorize, paste a tenant-admin token. Use the
request schema shown in Swagger for each body. (A portal form also exists under
Integrations → Create destination.)
| # | Action | What you should see |
|---|---|---|
| 1 | POST /api/v1/integrations/destinations with endpoint_url = your https://webhook.site/<id> | 200/201; destination created |
| 2 | GET /api/v1/integrations/destinations | Your tenant's destination(s) listed; the signing secret is not echoed back |
| 3 | POST /api/v1/integrations/destinations with endpoint_url = http://169.254.169.254/latest/meta-data/ (repeat with http://127.0.0.1/ and http://10.0.0.5/) | 400 — endpoint_url must not target a private or reserved address (SSRF guard); not created |
| 4 | When the next event delivers, check your webhook.site receiver | A signed POST with X-OneProtect-Signature / X-OneProtect-Timestamp (enforced outside local/dev) |
Contract & tests: /api/v1/integrations/destinations* in the OpenAPI
deliverable; url_safety + webhook delivery tests. External ticketing connectors
(Jira/ServiceNow/…) are Phase 2.
Where to look in the portal
Integrations(destinations, credentials, delivery status)Audit
Validation walkthrough
Exact labels match the portal. For a real receiver you can inspect, open a free
request bin (e.g. visit https://webhook.site and copy your unique URL) before
you start.
| # | Action | What you should see |
|---|---|---|
| 1 | Sign in as tenant admin and open Integrations (left nav). | The Integrations page with delivery health and a Destinations list. |
| 2 | In the Create destination card, set Name = Tenant SOC webhook and Endpoint URL (https) = your https://webhook.site/<your-id> URL. Click Create. | The card shows Destination created.; the new destination appears in the Destinations list below. |
| 3 | Open your webhook.site page (or receiver) when the next platform event delivers. | A signed POST arrives with X-OneProtect-Signature / X-OneProtect-Timestamp headers (signing is enforced outside local/dev). |
| 4 | Back in Integrations, select the destination and view delivery state. | Delivered shows as delivered; transient failures show attempts and a scheduled retry. |
| 5 | In Create destination, try Endpoint URL = http://169.254.169.254/latest/meta-data/, click Create. Repeat with http://127.0.0.1:9000/hook and http://10.0.0.5/hook. | Each is rejected in-place with endpoint_url must not target a private or reserved address (HTTP 400). The destination is not created. |
| 6 | Sign in as an operator; open Integrations. | The Create destination card is not shown (read/observe only); the destinations list is still visible. |
| 7 | Open Audit. | Destination configuration changes are recorded for your tenant. |
| 8 | Confirm scope | Only your tenant's destinations and deliveries are visible. |
Pass / fail checklist
- Tenant admin creates a webhook destination from Integrations → Create destination and it appears in the list
- A real receiver (e.g. webhook.site) receives a signed POST (
X-OneProtect-Signature) in a deployed environment - Destinations targeting private/loopback/link-local/metadata URLs are rejected with HTTP 400 (SSRF guard) and not saved
- The signing secret is never re-displayed after creation
- Delivery state (delivered/retrying/failed) is visible; transient failures retry with backoff
- Operators do not see the create form; auditors are read-only
- Destinations and deliveries are scoped to the owning tenant
Intentionally not in Phase 1
- External ticketing product connectors (Jira, ServiceNow, etc.).
- Dead-letter browsing/replay UI and dual-secret rotation overlap are tracked as later hardening.
Evidence to capture
- Screenshot of the webhook destination configuration.
- Screenshot of delivery status (a delivered and, if available, a retrying attempt).