Webhooks - ModVault Docs
Secure Mods. Seamless Installs.
Available Event Types
ModVault dispatches HTTP POST requests to your registered endpoints when repository activity crosses defined thresholds. Each delivery contains a JSON payload with event metadata, Unix timestamps, and actor identifiers.
mod_published
Fires when a mod package clears automated linting and is pushed to the live CDN. Payload includes `mod_id`, `author_slug`, `initial_version`, `supported_game_build`, and `cdn_download_url`.
version_updated
Triggers on patch, minor, or major releases. Contains `previous_version`, `new_version`, `changelog_html`, `file_hash_sha256`, and `breaking_changes` boolean for dependency managers.
new_comment
Dispatched when a user posts feedback or a bug report on a mod page. Includes `comment_id`, `user_rating`, `mod_slug`, `thread_context`, and `sentiment_score` from our NLP moderation filter.
Configure Endpoints & Verify Signatures
Integrate webhook listeners into your CI/CD pipeline, Discord bot, or analytics dashboard by registering a public HTTPS endpoint in your ModVault developer dashboard.
Signature Verification
Every request includes an `X-ModVault-Signature-256` header. Generate an HMAC-SHA256 hash using your secret key (`whsec_8f3a...`) and the raw request body. Reject payloads where the computed hash does not match the header value to prevent replay attacks and spoofed events.
Return HTTP `200–299` to acknowledge receipt. Set a `Retry-After` header with a value between `60` and `3600` seconds to throttle delivery during upstream maintenance. ModVault guarantees at-least-once delivery with a default 15-minute exponential backoff and a maximum of 5 retry attempts.