Webhooks

Currently, we offer a single webhook url per organization. When enabled, we POST a webhook payload for every alert that is generated in our system. These alerts are driven by the policies that devices are assigned to.

You can update the webhook integration either through the console or by using the API endpoint /api/integrations/updateWebhookIntegration.

The webhook payload is a JSON object with the following fields and typing:

{
  "version": [INTEGER] the version of the webhook,
  "activityTrigger": [STRING] optional comma separated list of activities that triggered the alert (human movement, etc),
  "diagnosticTrigger": [STRING] optional comma separated list of diagnostics that triggered the alert (camera disconnects, etc),
  "summary": [STRING] user friendly description of the alert,
  "deviceUuid": [STRING] the id of the device that triggered the alert,
  "timestampMs": [LONG] the epoch millisecond timestamp of the alert,
  "location": [STRING] the id of the location for the alert,
  "alertUuid": [STRING] the id of the alert,
  "durationSec": [INTEGER] optional duration of the alert clip in seconds if the alert has media,
  "thumbnailLocation": [STRING] optional region of the alert thumbnail if the alert has media,
  "clipLocationMap": [MAP<STRING, STRING>] optional map of device id to region for the alert clip
}

Here is an example webhook payload with some default values:

{
  'summary': 'Movement detected at HQ', 
  'deviceUuid': 'AAAAAAAAAAAAAAAAAAAAAA',
  'clipLocationMap': {'AAAAAAAAAAAAAAAAAAAAAA': 'us-west-2'}, 
  'alertUuid': 'BBBBBBBBBBBBBBBBBBBBBB', 
  'activityTrigger': 'MOTION',
  'location': 'CCCCCCCCCCCCCCCCCCCCCC', 
  'durationSec': 8, 
  'version': '2', 
  'timestampMs': 1646942680190, 
  'thumbnailLocation': 'us-west-2'
}

An example of setting up a development ngrok server for webhook payload consumption can be found here. This example prints the webhook payload and saves the clip to local storage.

Securing Webhooks

There are two general approaches for ensuring that webhooks received by your server originated from Rhombus. Ideally, both of these approaches should be implemented by all webhook consumers.

1. Validate the Client certificate presented during the TLS handshake

The following certificate can be used, in combination with a check for the CN (webhook-client.rhombus.com) to validate that the connection has originated from Rhombus

2. Validate the HMAC header included in the request header

Every webhook request contains the header x-rhombus-signature-sha1. This signature should be used to compare against the following operation, to ensure the authenticity of the content of each webhook request. The webhook secret is unique to each organization, and can be found here: https://console.rhombussystems.com/settings/integrations/webhookSettings

final String webhookSignature = new HmacUtils(HmacAlgorithms.HMAC_SHA_1, webhookSecret)
                    .hmacHex(webhookBody);
import hmac
import hashlib

digester = hmac.new(webhookSecret, webhookBody, hashlib.sha1)
signature = digester.digest().encode("hex")