Skip to content
Have I Been Squatted logo Have I Been Squatted logo Have I Been Squatted Docs

Webhooks Integration

Webhooks let you deliver Have I Been Squatted events to your own services in real time. Payloads follow the Standard Webhooks specification and are signed with an HMAC SHA-256 secret.

Setup

Section titled “Setup”
  1. In the app, go to Integrations and choose Webhooks.
  2. Click Create webhook and enter a public HTTP(S) URL.
  3. (Optional) Add a description and set event filters.
  4. Save the webhook and copy the signing secret (shown only once).

Payload format

Section titled “Payload format”

Webhook payloads are JSON objects with this shape:

{
  "type": "lookup_result.alerts",
  "timestamp": "2026-02-17T12:34:56Z",
  "data": {
    "domain": "example.com",
    "lookup_id": "2bca4c25-8c47-4a3c-a1d4-9d2a7c8cced5",
    "count": 2,
    "total": 2,
    "has_more": false,
    "alerts": [
      {
        "alert": { "...": "..." },
        "result": { "...": "..." }
      }
    ]
  }
}

Notes:

  • type is the event name (see below).
  • timestamp is ISO 8601.
  • alerts contains { alert, result } objects derived from lookup results.
  • When more than 25 alerts match, only the first 25 are included and has_more is true (and x-webhook-has-more: true is included).

Event types

Section titled “Event types”

Webhooks currently deliver these event types:

  • lookup_result.alerts - Alerts that match your filters.
  • test.delivery - Test payloads sent from the UI.

Signature verification

Section titled “Signature verification”

We follow the Standard Webhooks signature scheme. Each request includes:

  • webhook-id - A unique message ID (prefixed with msg_).
  • webhook-timestamp - Unix timestamp (seconds).
  • webhook-signature - HMAC SHA-256 signature in the format v1,<base64>.

The signed content is:

msg_id.timestamp.payload

The secret shown in the UI is hex-encoded. Convert it to raw bytes before computing the HMAC.

Example (Node.js):

import crypto from "crypto";


const msgId = req.headers["webhook-id"];
const timestamp = req.headers["webhook-timestamp"];
const signature = req.headers["webhook-signature"];
const payload = req.rawBody; // exact JSON bytes


const secret = Buffer.from(process.env.HIBS_WEBHOOK_SECRET, "hex");
const expected = crypto
  .createHmac("sha256", secret)
  .update(`${msgId}.${timestamp}.${payload}`)
  .digest("base64");


const valid = signature === `v1,${expected}`;

Testing and audit logs

Section titled “Testing and audit logs”

Use the Test action to deliver a test.delivery payload to your endpoint. Test requests time out after 10 seconds and are blocked if the URL resolves to a private or internal IP address.

Webhook delivery attempts are recorded in the Webhook audit log with request and response payloads, status, and timing details.