OpenSERP Cloud Updated Quickstart →

Search Monitor Webhooks

Search Monitor can send an HTTP POST when a completed run produces alerts. Add the webhook URL and an optional signing secret in the monitor's Settings tab....

Search Monitor can send an HTTP POST when a completed run produces alerts. Add the webhook URL and an optional signing secret in the monitor’s Settings tab.

Payload

The request uses Content-Type: application/json:

{
  "event": "monitor.run.completed",
  "monitor": {
    "id": 42,
    "name": "Product keywords"
  },
  "run_id": 314,
  "alerts": [
    {
      "type": "position_drop",
      "title": "Ranking dropped",
      "body": "openserp.org moved from #3 to #9 for serp api",
      "details": {
        "keyword": "serp api",
        "engine": "google",
        "region": "us"
      }
    }
  ],
  "ts": "2026-07-16T09:30:00Z",
  "text": "OpenSERP Search Monitor - Product keywords: 1 alert(s). Ranking dropped - openserp.org moved from #3 to #9 for serp api",
  "content": "OpenSERP Search Monitor - Product keywords: 1 alert(s). Ranking dropped - openserp.org moved from #3 to #9 for serp api"
}

text makes the payload compatible with Slack incoming webhooks. content provides the equivalent Discord message. The structured fields remain available to custom receivers and automation tools.

Slack

Create an incoming webhook in your Slack app, copy its HTTPS URL, and paste it into the monitor’s webhook field. No payload adapter is required - Slack displays the text value.

Discord

In a Discord channel, open Edit Channel → Integrations → Webhooks, create a webhook, and paste its HTTPS URL into the monitor settings. Discord displays the content value.

Verify signed requests

When a signing secret is configured, OpenSERP adds this header:

X-OpenSERP-Signature: sha256=9f8c...

Compute HMAC-SHA256 over the exact raw request body using the configured secret and compare the hexadecimal digest in constant time. Reject the request if the signature is absent or does not match.

Webhooks require a public HTTP or HTTPS endpoint. Redirects and URLs that resolve to private, loopback, link-local, or metadata addresses are rejected.