API Reference

Webhooks

Receive real-time notifications for governance events via HTTP webhooks.

Overview

Webhooks allow you to receive real-time notifications when events occur in your Tork environment.

Event-Driven

Push notifications for events

Signed Payloads

HMAC signature verification

Auto Retry

Failed deliveries retried

Configuring Webhooks

Register a webhook endpoint via the API:

python
from tork_governance import TorkClient

client = TorkClient()

# Create a webhook endpoint
webhook = client.webhooks.create(
    url="https://your-server.com/webhooks/tork",
    events=[
        "policy.violation",
        "approval.requested",
        "approval.decided",
        "budget.threshold_reached",
        "circuit_breaker.triggered"
    ],
    secret="whsec_your_signing_secret"  # For signature verification
)

print(f"Webhook ID: {webhook.id}")
print(f"Signing secret: {webhook.secret}")

Event Types

Available webhook event types:

policy.violationAn agent action was blocked by a policy
policy.warningAn action triggered a policy warning
approval.requestedA new approval request was created
approval.decidedAn approval was approved or rejected
approval.expiredAn approval request timed out
budget.threshold_reachedA budget threshold was reached
budget.exceededA budget limit was exceeded
circuit_breaker.triggeredA circuit breaker was tripped
circuit_breaker.resetA circuit breaker was reset
jailbreak.detectedA jailbreak attempt was detected
agent.registeredA new agent was registered
agent.updatedAn agent configuration was updated

Webhook Payload

All webhooks follow this payload structure:

json
{
  "id": "evt_abc123def456",
  "type": "policy.violation",
  "created_at": "2024-01-15T10:30:00Z",
  "data": {
    "agent_id": "agent-123",
    "policy_name": "block-pii-sharing",
    "action": "BLOCK",
    "reason": "PII detected in output",
    "content_preview": "The user's SSN is...",
    "metadata": {
      "user_id": "user_456",
      "session_id": "sess_789"
    }
  },
  "environment": "production"
}

Signature Verification

Verify webhook signatures to ensure authenticity:

python
import hmac
import hashlib
from flask import Flask, request

app = Flask(__name__)
WEBHOOK_SECRET = "whsec_your_signing_secret"

@app.route("/webhooks/tork", methods=["POST"])
def handle_webhook():
    # Get the signature from headers
    signature = request.headers.get("X-Tork-Signature")
    timestamp = request.headers.get("X-Tork-Timestamp")

    # Compute expected signature
    payload = f"{timestamp}.{request.data.decode()}"
    expected = hmac.new(
        WEBHOOK_SECRET.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()

    # Verify signature
    if not hmac.compare_digest(signature, f"sha256={expected}"):
        return "Invalid signature", 401

    # Process the event
    event = request.json
    print(f"Received event: {event['type']}")

    return "OK", 200

Retry Policy

Failed webhook deliveries are automatically retried:

AttemptDelay
1st retry1 minute
2nd retry5 minutes
3rd retry30 minutes
4th retry2 hours
5th retry24 hours

Important: Your webhook endpoint must respond with a 2xx status code within 30 seconds, or it will be marked as failed.

Documentation

Learn to integrate TORK

Upgrade Plan

Current: free

Support

Get help from our team