RegexNest Docs

Webhooks

Receive real-time notifications whenever shared workspaces change — integrate RegexNest directly into your CI/CD pipeline, Slack, or internal tooling.

Setup

Webhooks are configured at the workspace level. Only workspace owners and admins can add, edit, or delete webhook endpoints. Each workspace supports up to five active webhooks, and every webhook fires independently.

Navigate to Workspace Settings → Integrations → Webhooks and click Add Endpoint. You'll need a publicly reachable HTTPS URL — RegexNest retries failed deliveries with exponential backoff (1s, 4s, 16s, 64s) before marking the webhook as unhealthy after five consecutive failures.

Trigger

On Pattern Save

Fires whenever any collaborator saves a new regex pattern or modifies an existing one in the workspace. Includes the full pattern, flags, and the author's name.

Trigger

On Test Case Update

Sent when test strings are added, removed, or changed. The payload contains the updated test matrix with match/non-match status for every pattern in the workspace.

Trigger

On Member Change

Triggers when a user is invited, removed, or has their role changed. Useful for syncing access across your team directory or audit logging.

Payload Example

Every webhook delivers a JSON payload with a consistent envelope. The event field tells you what happened, and the data object carries event-specific details.

Below is a real payload from a pattern.saved event in the API Validation Rules workspace (ID: wk_9f3a2b1c):

{
  "event": "pattern.saved",
  "timestamp": "2025-06-14T09:23:41Z",
  "workspace": {
    "id": "wk_9f3a2b1c",
    "name": "API Validation Rules",
    "url": "https://regexnest.com/workspaces/wk_9f3a2b1c"
  },
  "data": {
    "pattern_id": "pt_7d4e8f02",
    "expression": "^(?<email>[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})$",
    "flags": ["u"],
    "description": "RFC 5322 simplified email validation",
    "author": {
      "id": "usr_m4n0v3",
      "name": "Mira Novak",
      "email": "mira@acme.io"
    },
    "previous_expression": "^[\\w.%+-]+@[\\w.-]+\\.[a-zA-Z]{2,}$"
  }
}

The previous_expression field is included only when a pattern was modified. For new patterns, it is null. All payloads are signed — see the security section below.

Security

RegexNest signs every webhook payload using HMAC-SHA256. Your endpoint receives the signature in the X-RegexNest-Signature header so you can verify the request originated from RegexNest and has not been tampered with.

When you create a webhook, a unique secret key is generated — for example, whsec_8kL2pQxR9vTnJwYc4mHbFgAe6sDf. Store this secret in your environment variables. To verify a payload:

  1. Read the raw request body as a UTF-8 string.
  2. Compute HMAC-SHA256(secret, payload_string) and encode the result in hexadecimal.
  3. Compare your computed hash with the value in X-RegexNest-Signature using a constant-time comparison function.

If the signatures do not match, reject the request immediately. RegexNest also includes a X-RegexNest-Timestamp header (Unix epoch in milliseconds) to help you detect replay attacks — we recommend rejecting payloads older than 300 seconds.

You can rotate your webhook secret at any time from the webhook settings page. Rotating the secret invalidates the old key immediately; all subsequent deliveries will use the new secret. Keep a short grace period in mind — in-flight requests signed with the old key will fail verification.