Webhooks
HMAC-signed inbound receivers + outbound fan-out. Signing secrets shown exactly once.
Outbound
Push Meridian events (monitor.incident.opened, runbook.run.completed, user.login.failed, etc.) into external systems. Receivers verify the X-Meridian-Signature HMAC-SHA256 over the raw body. Per-webhook event subscription is a chip row on the create form.
Inbound
Accept signed POSTs from external systems and route them into a handler. Useful for ingesting service-registry events, CI pipeline completions, or SIEM alerts. Each receiver has its own URL + secret; unsigned calls are rejected with 401.
Event catalog
The Events tab lists every event kind Meridian can emit, with a schema snippet per event. Use it to decide which events to subscribe to.
Gotchas
- Secrets are shown once. Copy on creation; we store only the hash. Rotate = new secret, old one becomes immediately invalid.
- Verifying the signature on the receiver side is mandatory; anything less defeats the point.