Every action in your workspace — sign-ins, permission changes, drift detections, workflow dispatches — now streams to external systems the moment it happens. Configure one or more HTTPS webhook destinations and Atmos Pro delivers audit events in CloudEvents v1.0 structured content mode, ready for Splunk, Datadog, Sumo Logic, or any system that speaks HTTP.

Events are batched (up to 100 per delivery) and forwarded within seconds of being recorded. Each payload is signed with HMAC-SHA256 using a per-destination secret, so your receiving service can verify authenticity before processing. The signature is sent in the X-Webhook-Signature header alongside a stable X-Webhook-Id for deduplication.

Every event arrives as a typed CloudEvents envelope with a pro.atmos.{category}.{action} type string, making it straightforward to route events by category in your SIEM — filter on pro.atmos.billing.* for payment events, pro.atmos.workflow.* for deployment activity, or pro.atmos.team_member.* for access changes.

Webhook destinations are managed from Workspace Settings. Each destination can be independently enabled or disabled without deletion, and you can send a test event to verify connectivity before going live. Failed deliveries are retried automatically and the last delivery status is visible at a glance.

SSRF protections prevent webhooks from targeting private networks, and custom headers let you pass authentication tokens your receiving service requires — while reserved headers like Authorization and Content-Type cannot be overridden.

Audit logs are retained according to your plan's entitlement. A daily background job purges expired records automatically, so you stay within your retention window without manual intervention. Enterprise plans support extended retention periods.

Audit log forwarding is available on Enterprise plans. Visit plan options to upgrade.