Webhooks & Notifications
LakeSentry sends notifications through two channels: email (to individual users based on their preferences) and webhooks (to a configured endpoint for integration with Slack, PagerDuty, or other tools). This page covers both systems.
Email notifications
Section titled “Email notifications”Each user can configure their own notification preferences. These control which email notifications they receive.
Notification types
Section titled “Notification types”| Type | Default | Frequency | Content |
|---|---|---|---|
| Daily digest | On (admins/owners) | Daily | Summary of yesterday’s insights by severity, top 3 insights, cost overview |
| Weekly report | On | Weekly | Cost summary, insights summary, actions taken, top 5 cost drivers |
| Monthly report | On (owners) | Monthly | Previous month’s cost summary, spend by category, savings achieved |
| System alerts | On (admins/owners) | As needed | Connector health issues, budget threshold breaches |
Configuring email preferences
Section titled “Configuring email preferences”- Click your profile icon in the top navigation.
- Select Notification Preferences.
- Toggle each notification type on or off.
- Changes take effect immediately.
Alternatively, go to Settings > Users > click your name > Notifications.
Budget alerts
Section titled “Budget alerts”Budget threshold alerts are configured per budget, not per user:
- Each budget has configurable thresholds (defaults: 80% and 100% of budget).
- Each budget can specify recipients — specific users who receive the alert. If no recipients are configured, the alert goes to all admins and owners with system alerts enabled.
- Alerts are deduplicated — each budget/threshold combination triggers at most once per 60 minutes.
- Only the highest exceeded threshold triggers. If spend crosses both 80% and 100%, only the 100% alert fires.
For budget configuration, see Budgets.
Connector health alerts
Section titled “Connector health alerts”LakeSentry monitors connector health hourly. An alert fires if:
- The connector has a validation error (e.g., credential issue).
- No data has been received from the connector for 30+ hours.
Health alerts are deduplicated per connector with a 60-minute window.
Webhooks
Section titled “Webhooks”Webhooks push event data to an external HTTPS endpoint. Use them to integrate LakeSentry notifications with Slack, Microsoft Teams, PagerDuty, or any system that accepts HTTP callbacks.
Setting up a webhook
Section titled “Setting up a webhook”Webhook configuration requires the Owner role.
- Go to Settings > Webhooks.
- Click Configure Webhook (or Edit for an existing webhook).
- Enter the endpoint URL (must be HTTPS).
- Click Save.
LakeSentry generates a signing secret automatically. Copy and store it — you’ll need it to verify webhook signatures.
Testing the webhook
Section titled “Testing the webhook”After configuring the endpoint:
- Click Test Webhook on the webhook settings page.
- LakeSentry sends a test event to your endpoint.
- Verify your endpoint received the payload and responded with a
2xxstatus.
Webhook events
Section titled “Webhook events”The webhook fires for the following event types:
| Event type | Trigger |
|---|---|
daily_digest | Daily digest computed |
weekly_report | Weekly report computed |
monthly_report | Monthly report computed |
test | Manual test from webhook settings |
Payload format
Section titled “Payload format”All webhook events use the same envelope:
{ "id": "daily_digest_2026-02-19", "type": "daily_digest", "created_at": "2026-02-19T08:00:00Z", "data": {}}The data object contains event-specific fields documented below.
Headers
Section titled “Headers”Every webhook request includes these headers:
| Header | Description |
|---|---|
Content-Type | application/json |
User-Agent | LakeSentry-Webhook/1.0 |
X-LakeSentry-Event-ID | Unique event identifier |
X-LakeSentry-Event-Type | Event type (e.g., daily_digest) |
X-LakeSentry-Timestamp | Unix timestamp of the request |
X-LakeSentry-Signature | HMAC-SHA256 signature (if signing secret configured) |
Event-specific data
Section titled “Event-specific data”Daily digest (daily_digest):
InsightsCritical— Count of critical severity insightsInsightsWarning— Count of warning severity insightsInsightsInfo— Count of info severity insightsTopInsights— Array of the top 3 insights (Title, Type, Description, Severity)TotalCost— Total cost for the periodCostChangePercent— Cost change percentage compared to prior periodPeriodStart,PeriodEnd— Formatted date strings for the digest period
Weekly report (weekly_report):
TotalCost— Total spend for the periodCostChangePercent— Cost change percentage compared to prior periodInsightsSummary— Text summary of insights activityActionsTaken— Count of actions executedTopCostDrivers— Array of the top 5 cost drivers (Name, Cost, Change)PeriodStart,PeriodEnd— Formatted date strings for the report period
Monthly report (monthly_report):
TotalCost— Total spend for the monthCostChangePercent— Cost change percentage compared to prior periodSpendByCategory— Breakdown by attribution path (Name, Amount, Percent)SavingsAmount— Total savings achieved through actionsPeriodStart,PeriodEnd— Formatted date strings for the report period
Verifying webhook signatures
Section titled “Verifying webhook signatures”If a signing secret is configured, verify the signature to ensure the request came from LakeSentry:
- Extract the
X-LakeSentry-TimestampandX-LakeSentry-Signatureheaders. - Construct the signed payload:
{timestamp}.{json_body}. - Compute HMAC-SHA256 of the signed payload using your signing secret.
- Compare the hex-encoded result with the signature header.
Example (Python):
import hmacimport hashlib
def verify_signature(timestamp, body, signature, secret): payload = f"{timestamp}.{body}" expected = hmac.new( secret.encode(), payload.encode(), hashlib.sha256 ).hexdigest() return hmac.compare_digest(expected, signature)Delivery and retries
Section titled “Delivery and retries”- Webhook deliveries have a 30-second timeout.
- Failed deliveries are retried up to 2 times with exponential backoff (up to 3 total attempts).
- All delivery attempts (success and failure) are logged and visible on the Webhook Deliveries page in Settings.
Managing the webhook
Section titled “Managing the webhook”| Action | How |
|---|---|
| Disable | Toggle the webhook to disabled. Events are not sent but the configuration is preserved. |
| Regenerate secret | Click Regenerate Secret on the webhook settings page. Update your receiving application with the new secret. |
| Delete | Remove the webhook entirely. |
| View deliveries | Check Settings > Webhooks > Deliveries for recent delivery status and any errors. |
Endpoint requirements
Section titled “Endpoint requirements”- Must accept HTTPS (HTTP is rejected).
- Must respond with a
2xxstatus code within 30 seconds. - Cannot target localhost or private IP addresses (SSRF protection).
Next steps
Section titled “Next steps”- Budgets — Configure budgets and threshold alerts
- Settings — Organization-level configuration
- Roles & Permissions — Who can configure webhooks