Skip to main content

Configure and Use Webhooks in Vanta

Updated over a month ago

Overview

Webhooks allow Vanta to notify your application in real time when events occur in your account. Instead of polling the API for changes, you can register an HTTPS endpoint and Vanta will send an HTTP POST request to your endpoint whenever a subscribed event occurs.

Webhooks are powered by Svix, which provides automatic retries, delivery guarantees, and built-in signature verification.

Who this feature is for

This feature is designed for:

  • Developers building custom integrations

  • Security engineers automating workflows

  • Infrastructure teams integrating Vanta with internal systems

What webhooks enable

Without webhooks, teams typically need to:

  • Manually monitor activity in Vanta

  • Poll the API for changes

  • Rely on email notifications

  • Maintain custom scripts for automation

With webhooks:

  • Vanta sends HTTP POST requests to your endpoint when subscribed events occur

  • Deliveries are retried automatically using an exponential backoff schedule (up to ~5 days)

  • Each message includes signed headers for verification

  • Delivery attempts are logged in the Vanta dashboard

  • Failed events can be retried individually or in bulk

Example use cases

You can use webhooks to automate workflows such as:

  • Logging Trust Center access requests in an internal system

  • Triggering workflows when access is approved or denied

  • Creating tickets when a vendor is created

  • Syncing questionnaire status changes to another platform

To implement this, you could register a webhook endpoint. Then subscribe to relevant event types. And then automatically process incoming webhook events in your system.

Set up a webhook endpoint

To begin receiving webhooks, you must register at least one endpoint.

An endpoint is a publicly accessible HTTPS URL on your server that will receive webhook POST requests from Vanta.

Add an endpoint

  1. Navigate to Settings > Webhooks in the Vanta dashboard.

  2. Click Add Endpoint.

  3. Enter your endpoint URL (must be HTTPS).

  4. Select the event types you want to subscribe to

    • Leave blank to receive all events.

  5. Click Create.

You can browse all available event types and view their descriptions and payload schemas directly in the dashboard.

Test your endpoint

Before using webhooks in production, verify that your endpoint can receive and process events correctly.

  1. Go to Settings > Webhooks.

  2. Select the endpoint you want to test.

  3. Open the Testing tab.

  4. Choose an event type.

  5. Click Send Example.

This sends a sample payload to your endpoint so you can confirm it handles events as expected.

Webhook delivery behavior

Delivery method

  1. Vanta sends an HTTP POST request to your endpoint.

  2. Your endpoint must return a 2xx status code within 15 seconds to acknowledge receipt.

  3. If a 2xx response is not received within 15 seconds, the delivery attempt is marked as failed and retried according to the retry schedule.

Retry schedule

If a delivery attempt fails, Vanta retries the message automatically using exponential backoff. Vanta continues retrying until all scheduled attempts are exhausted (approximately 5 days total). Only after all retry attempts fail is the message marked as permanently failed.

See the Developer Docs for the full retry schedule and timing details.

Manual retry and recovery

You can retry failed deliveries from the webhook dashboard:

  1. Go to Settings > Webhooks.

  2. Select the endpoint.

  3. Browse message history.

  4. Click Retry on individual messages

    • Or use Bulk Retry to replay failed messages within a selected time range.

This allows you to recover missed events if your endpoint was temporarily unavailable.

Signature verification

Each webhook includes headers that allow you to verify the request originated from Vanta:

  • svix-id – Unique message identifier

  • svix-timestamp – Timestamp of the delivery attempt

  • svix-signature – Base64-encoded signature(s)

We strongly recommend verifying webhook signatures in production. You can retrieve your endpoint’s Signing Secret in the webhook dashboard under the endpoint details. Vanta recommends using the official Svix libraries to verify signatures.

See the developer documentation for implementation examples.

Best practices for webhook endpoints

To ensure reliable processing:

  • Your endpoint must be publicly accessible over HTTPS.

  • Return a 2xx status code within 15 seconds.

  • Process events asynchronously (acknowledge immediately, then handle in a background job).

  • Disable CSRF protection for the webhook route.

  • Implement idempotent handling. Delivery is “at least once,” so duplicate events are possible.

  • Preserve the raw request body when verifying signatures (do not parse or re-serialize before verification).

Troubleshooting

4xx errors

  • Confirm the endpoint URL is correct and publicly accessible over HTTPS.

  • Ensure CSRF protection is disabled for the webhook route.

  • Verify your endpoint returns a 2xx status code.

Signature verification failures

  • Confirm you are using the raw request body.

  • Ensure the signing secret matches the one in the dashboard.

  • Verify the request body has not been modified before verification.

Timeouts

Your endpoint must respond within 15 seconds. If processing takes longer, return a 200 response immediately and process the event asynchronously.

Limitations

  • Webhooks are not supported in FedRAMP environments.

  • Updating event subscriptions affects future deliveries only.

  • Delivery is at-least-once, so duplicate events are possible.

Related resources