Skip to main content
Paid feature. Webhook alert delivery requires a Growth, Team, or Enterprise plan. The alerts_enabled entitlement is off on the Free plan.
AgentMark webhooks deliver alert notifications to your application when cost, latency, error-rate, or evaluation-score alerts trigger or resolve.

How it works

When an alert fires or resolves, AgentMark Cloud sends an HTTP POST request to your configured webhook URL. The request body is the event payload and the x-agentmark-signature-256 header is an HMAC-SHA256 signature of the request body (using your webhook secret), formatted as sha256=<hex-digest>. Your endpoint verifies the signature, processes the alert, and returns a 2xx status.

Setup

1. Get your webhook secret

AgentMark stores one webhook URL and one secret per environment, and alerts reuse that configuration. An alert scoped to an environment delivers through that environment’s webhook; an app-wide alert delivers through the default (dev) environment’s webhook.
  1. Open your app in the AgentMark Dashboard and select the environment whose webhook you want to configure in the breadcrumb. Switching environment shows that environment’s values.
  2. Navigate to Settings → Integrations.
  3. The Webhook Url form has two fields:
    • Webhook Url: your webhook endpoint URL.
    • Secret Key: the secret used for signature verification.
Keep your webhook secret secure. Use environment variables and never commit it to source control.

2. Install dependencies

3. Create the webhook endpoint

Set up environment variables:
Create a POST endpoint that verifies signatures and handles alert events. This example uses Next.js App Router:
app/api/agentmark-alerts/route.ts

4. Deploy and configure

1

Deploy your endpoint

Deploy your application to a publicly accessible URL (for example, Vercel, Railway, AWS).
2

Add the webhook URL

In the AgentMark Dashboard, select the environment in the breadcrumb, go to Settings → Integrations, and enter your endpoint URL in the Webhook Url form (for example, https://your-app.vercel.app/api/agentmark-alerts). Repeat for each environment whose alerts should deliver: an environment-scoped alert uses its own environment’s webhook, and app-wide alerts use the default (dev) environment’s webhook.
3

Set the webhook secret

Add the Secret Key from the same Webhook Url form to your deployment’s environment variables as AGENTMARK_WEBHOOK_SECRET.
4

Enable webhook delivery on the alert

Webhook delivery is opt-in per alert. When you create or edit an alert in the Dashboard (under Alerts), toggle on Custom Webhook; it’s off by default. Without this toggle, AgentMark won’t POST to your webhook URL even if you configured one.
5

Test

Configure an alert in the Dashboard (for example, cost threshold), trigger the condition, and verify your endpoint receives the event.

Event format

  • timeWindow is the measurement window in minutes (number).
  • timestamp is a Unix epoch in milliseconds (number), from Date.now().
  • AgentMark includes commitSha inside alert when the app has a commit SHA on record at trigger time; otherwise it omits the field. On resolved events it always omits the field.
  • environmentScope is always present: the name of the environment the alert targets, or the literal string all-envs for an app-wide alert.
  • AgentMark includes environmentName only when the alert targets an environment, and the field carries that environment’s name.
  • AgentMark includes the three evaluation* fields on alert only when type is evaluation_score.
  • The message string ends with an environment suffix: [env: <name>] for environment-scoped alerts, or [across all envs] for app-wide alerts.

Alert types

Processing alerts

Integration examples

The examples below share this Alert type, matching the payload described in Event format:

Slack notifications

Email notifications

Security best practices

  1. Always verify signatures. Reject requests with missing or invalid x-agentmark-signature-256 headers.
  2. Use HTTPS. Your production endpoint must use HTTPS.
  3. Store secrets in environment variables. Never hardcode credentials.
  4. Return proper status codes. 401 for auth failures, 400 for bad requests, 500 for server errors.
  5. Respond quickly. Return a 200 status promptly, then process the alert asynchronously if needed.
  6. Route by type. Send cost alerts to finance channels, latency alerts to engineering, and so on.

Have questions?

Reach out any time: