← All documentation
Webhook events
Every event your endpoint can subscribe to. OnlyHIPAA POSTs a signed JSON body
({ event, timestamp, payload }) for each subscribed event; verify the
X-OnlyHIPAA-Signature header (HMAC-SHA256 of the raw body with your secret).
Failed deliveries retry with backoff and can be replayed from
Settings → Webhooks.
Assessments
| Event | Fires when |
assessment.completed |
An assessment was marked complete. |
assessment.archived |
An assessment was archived. |
Findings
| Event | Fires when |
finding.status_changed |
A finding moved between statuses (open → resolved, etc.). |
finding.risk_changed |
A finding's risk level changed. |
Incidents
| Event | Fires when |
incident.created |
A security incident was created. |
incident.escalated |
An incident was escalated. |
incident.closed |
An incident was closed. |
Policies
| Event | Fires when |
policy.published |
A policy was published. |
policy.reviewed |
A policy was reviewed. |
Members
| Event | Fires when |
member.invited |
A team member was invited. |
member.removed |
A team member was removed. |
Evidence
| Event | Fires when |
evidence.uploaded |
Evidence was uploaded. |
evidence.deleted |
Evidence was deleted. |
Remediation
| Event | Fires when |
remediation.completed |
A remediation task was completed. |