Integrations/Webhooks

Real-time automation with Webhooks from Cloudsmith

Cloudsmith Webhooks give your pipelines and tools instant visibility into package events, from upload and sync to quarantine and security scan completion. Configure per-repository subscriptions, shape payloads with Handlebars templates, and verify every delivery with HMAC-SHA1 signatures so your downstream systems react to exactly what happens, with no polling required.

How we support Webhooks

Cloudsmith Webhooks connect every meaningful package lifecycle event to the tools and pipelines that depend on them. From a single endpoint configuration, you get secure, filterable, and fully customisable event delivery across your entire workflow.
    Rich package event coverage
    Subscribe to eleven distinct event types including package.created, package.synced, package.failed, package.quarantined, package.security_scanned, and package.tags_updated. Get notified at every meaningful stage of the package lifecycle, not just on upload.
    Flexible payload formats
    Choose from JSON Object, JSON Array, Form Encoded JSON, or a fully custom Handlebars template. Drive Slack, Teams, external APIs, and custom services directly from Cloudsmith without needing a middleware translation layer such as IFTTT or Zapier.
    HMAC-SHA1 signature verification
    Every webhook delivery includes an X-Cloudsmith-Signature header so your receiver can cryptographically verify the payload originated from Cloudsmith, unaltered. Secret header and value fields provide an additional authentication layer for open endpoints.
    Package query filtering
    Attach a package search query to any webhook so only matching packages trigger delivery. Filter by name, tag, format, or any attribute supported by Cloudsmith search syntax. For example, fire events only for packages tagged release in a specific repository.
    Pipeline and ChatOps automation
    Instruct CI/CD services such as CircleCI, Jenkins, or Spinnaker to deploy the moment a synchronised package lands in your production repository. Or push rich, formatted notifications to Slack or Microsoft Teams so your team always knows what shipped and who uploaded it.

Why teams integrate Cloudsmith with Webhooks

Without event-driven automation, teams either poll for changes or rely on manual handoffs. Cloudsmith Webhooks eliminate that gap, turning every package lifecycle event into an immediate, verifiable signal your systems can act on.
Without CloudsmithTeams poll the registry on a timer to detect new or updated packages, introducing latency between a package becoming available and downstream systems reacting. Missed events cause failed deployments or out-of-date environments.
With CloudsmithCloudsmith fires a webhook the instant a package syncs, quarantines, or completes a security scan. Your CI/CD pipeline or deployment tool receives the signal immediately, with no polling overhead and no missed events.
Without CloudsmithWithout payload verification, teams cannot confirm that a webhook originated from their registry rather than a malicious actor. Accepting unverified events creates a real attack surface, especially for systems that trigger deployments automatically.
With CloudsmithCloudsmith calculates an HMAC-SHA1 digest for every delivery, sent in the X-Cloudsmith-Signature header. Your receiver verifies the signature before acting on the payload, giving you cryptographic assurance of origin and integrity for every event.
Without CloudsmithWebhook endpoints receive every event from every package, forcing receivers to filter noise in application code. A single high-volume repository floods downstream systems with irrelevant deliveries, complicating logic and increasing error surface.
With CloudsmithCloudsmith package query filters let you scope each webhook to only the packages that matter. Subscribe to package.synced for packages tagged release, or target a specific name pattern, so your endpoints only receive signals they are designed to act on.

Frequently asked questions

  1. Cloudsmith supports eleven event types: package.created, package.synced, package.syncing, package.failed, package.deleted, package.restored, package.quarantined, package.released, package.security_scanned, package.tags_updated, and a ping event fired when a webhook is first created or tested. You subscribe to the subset of events relevant to your workflow.

  2. Navigate to the Webhooks sub-menu of any repository in the Cloudsmith UI. Creating a webhook requires only a destination endpoint URL. From there you can select payload format, choose event subscriptions, add a package query filter, and configure security options including HMAC signature keys and secret headers.

  3. Each webhook delivery includes an X-Cloudsmith-Signature header containing an HMAC-SHA1 digest of the payload. On the receiver side, recalculate the HMAC using your shared secret key and compare it to the header value. If they match, the payload arrived from Cloudsmith unaltered. Cloudsmith stores the secret key encrypted internally.

  4. Cloudsmith supports JSON Object, JSON Array, Form Encoded JSON Object, and Handlebars Template formats. The Handlebars option lets you craft fully custom payloads for any downstream service, including Slack, Microsoft Teams, or bespoke internal APIs, without needing an intermediate translation service.

  5. Yes. Each webhook accepts an optional package search query using the same syntax supported across Cloudsmith. For example, you can configure a webhook to fire only for packages named my-web-app that carry a release tag. Packages that do not match the query will not trigger delivery, keeping your endpoints focused on the signals that matter.

  6. Configure a webhook subscribed to the package.synced event on your production repository. Point it at your CI/CD service endpoint, such as CircleCI, Jenkins, or Spinnaker. When a synchronised package lands in the repository, Cloudsmith fires the webhook and your pipeline picks up the signal and initiates deployment automatically.

  7. Yes. Use the Handlebars Template payload format to construct a Slack-compatible or Teams-compatible JSON payload directly. You can include package name, version, download URL, uploader, and any custom logic such as calling out a hotfix tag. No middleware is required between Cloudsmith and your chat tool.

  8. Yes. Cloudsmith Webhooks are a repository-level feature that works across all 30+ supported package formats including Docker, npm, Maven, Python, Helm, Debian, and more. Any package event in any repository can trigger a webhook delivery regardless of format.

  9. Yes. Within a single webhook you can define a separate Handlebars template for each event type. If a specific event template exists it takes precedence, otherwise the default template is used. This lets you route all events to a single endpoint while formatting the payload differently for each, for example distinguishing a security scan result from a sync completion.

  10. Cloudsmith webhooks currently originate from three IP addresses: 34.252.163.216, 52.208.86.0, and 108.129.59.129. These addresses can be used to allowlist Cloudsmith traffic at your firewall. Contact Cloudsmith support for the most up-to-date list, as these addresses may change over time.

Integrations

Discover more Cloudsmith Integrations