Webhooks send a signed JSON POST to your endpoint when subscribed events occur (assessment completed, finding status changed, incident opened, and more).
Every request carries an X-OnlyHIPAA-Signature header of the form sha256=<hex> — the HMAC-SHA256 of the raw body using your webhook secret. Recompute it and compare with a constant-time function before trusting the payload.
Respond with a 2xx within 5 seconds. A failed delivery is retried automatically with exponential backoff, and you can replay any delivery from the delivery log. A webhook that fails repeatedly is auto-suspended until you re-enable it.