Audit event webhooks

Forward every Cavalry audit event to a SIEM or internal automation. The worker delivers asynchronously with HMAC-SHA256 signatures and retries failed deliveries with exponential backoff.

Adding a webhook

1. Open /[org]/settings/integrations.
2. Click Add webhook. Pick a format (generic, splunk, or datadog), paste the destination URL, and generate a shared secret.
3. Optionally set action filters as space-separated globs (e.g. skill.* approval.*). Empty = deliver everything.

Payload shapes

Generic

{ "event": { ...fields } }

Splunk HEC

{
  "time": 1744200000,
  "host": "cavalry",
  "source": "cavalry",
  "sourcetype": "cavalry:skill.installed",
  "event": { ...fields }
}

Datadog logs

{
  "ddsource": "cavalry",
  "service": "cavalry",
  "ddtags": "org:org_abc,action:skill.installed,actor:user",
  "message": "skill.installed skill_version:sv_abc",
  "event": { ...fields }
}

Verifying deliveries

Each request carries:

• X-Cavalry-Signature: sha256=<hex> — HMAC-SHA256 over the exact bytes of the request body
• X-Cavalry-Delivery-Id — delivery row id (dedupe if you want to)
• X-Cavalry-Event-Id — audit event id
• X-Cavalry-Event-Action — the action literal

Verify by recomputing sha256 of the raw body with your stored secret. Constant-time compare required (Cavalry does this for inbound webhook handlers too).

Retry policy

Up to 5 attempts with a backoff of 0 · 30s · 2m · 10m · 60m. Each retry inserts a new audit_webhook_deliveries row so the history is append-only.