Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.slipway.sh/llms.txt

Use this file to discover all available pages before exploring further.

Slipway delivers deployment notifications to user-configured channels via HTTPS POST. Discord and Slack receive platform-native payloads; generic webhook channels receive the schema below.

Request

  • Method: POST
  • Content-Type: application/json
  • User-Agent: slipway-notifier/1
  • X-Slipway-Signature: sha256=<hex> — present only when the channel has a signing secret configured (see HMAC signing).
  • Timeout: 10 seconds. Non-2xx responses and timeouts are recorded as notification_failed events and not retried in v1.

Body

{
  "event": "deployment.healthy",
  "ts": "2026-05-19T17:22:03Z",
  "organization": {
    "slug": "acme",
    "name": "Acme Inc"
  },
  "repository": {
    "id": "5b1f-…-c2e9",
    "full_name": "acme/orders-api"
  },
  "deployment": {
    "id": "8e4c-…-a3d1",
    "url": "https://app.slipway.sh/deployments/8e4c-…-a3d1",
    "commit_sha": "9a1f6c…",
    "branch": "feat/checkout",
    "status": "healthy",
    "trigger": "pull_request",
    "pr_number": 142,
    "public_urls": {
      "api": "https://api-pr142.preview.acme.dev",
      "web": "https://web-pr142.preview.acme.dev"
    },
    "expires_at": "2026-05-19T22:22:03Z"
  }
}

Field reference

FieldTypeNotes
eventstringOne of deployment.healthy, deployment.updated, deployment.failed, deployment.torn_down.
tsRFC3339Time the dispatcher built the payload.
organization.slugstringURL-safe org slug.
organization.namestringHuman-readable org name.
repository.idUUIDStable internal id.
repository.full_namestringowner/repo from GitHub.
deployment.idUUIDStable internal id.
deployment.urlstringLink back to the deployment detail page. Omitted when the master has no SL_PUBLIC_BASE_URL configured.
deployment.commit_shastringFull 40-char SHA.
deployment.branchstring
deployment.statusstringSnapshot of the row’s status at send time. Usually matches the event (healthy for deployment.healthy, failed for deployment.failed, superseded for deployment.torn_down).
deployment.triggerstringpush, pull_request, manual, or rollback.
deployment.pr_numberintPresent only when trigger == "pull_request". Omitted otherwise.
deployment.public_urlsobject{ service_name: url }. Omitted when the spec defines no public services.
deployment.expires_atRFC3339Set on ephemeral previews when status flipped to healthy. Omitted otherwise.
deployment.failure_reasonstringPresent only on deployment.failed.
The updated event uses the same shape as healthy — there is no extra “previous deployment” reference. If you need that, look up the repo’s deployments via the API and find the most recent superseded row for the same pr_number.

HMAC signing

When the channel has a signing secret, slipway includes: 
X-Slipway-Signature: sha256=<hex_digest>
The digest is computed exactly as: 
hmac_sha256(raw_request_body, signing_secret)
…over the raw bytes of the request body, not a re-serialised version. Verify in constant time before trusting the payload. Example in Go: 
mac := hmac.New(sha256.New, []byte(secret))
mac.Write(body)
want := "sha256=" + hex.EncodeToString(mac.Sum(nil))
got := r.Header.Get("X-Slipway-Signature")
if !hmac.Equal([]byte(got), []byte(want)) {
    http.Error(w, "bad signature", http.StatusUnauthorized)
    return
}
The signing scheme intentionally mirrors slipway’s inbound GitHub webhook verifier, so any code you already have for verifying GitHub webhooks will need only a header-name change.

Delivery failures

If your endpoint returns a non-2xx status or doesn’t respond within 10 seconds, slipway writes a notification_failed event to the deployment with data.channel_id. There is no retry in v1 — design your receiver to be idempotent and use the slipway UI’s deployment timeline to spot delivery problems.