WhiteIntel Webhook API
WhiteIntel webhooks allow your organization to receive real-time alerts when your watchlist items (such as domains, IPs, hostames, or emails) are detected in leaked stealer logs.
🔧 Setup
To configure a webhook:
Go to your WhiteIntel dashboard
Set your receiving HTTPS endpoint
A secure HMAC secret will be auto-generated
⚠️ Configuring a webhook will override any existing configuration.
Endpoint Requirements
Must use
https://
(orhttp://
in dev/test)Must not point to internal/private addresses (e.g.
localhost
,.local
,127.0.0.1
)Must not target WhiteIntel-owned domains
🔐 Security & Signature
Every webhook POST is signed with an HMAC SHA256 signature.
NEVER PROCESS THE REQUEST BEFORE VERIFYING THE SIGNATURE.
Headers
X-Signature
Base64-encoded HMAC signature
X-Signature-Version
Currently always "v1"
X-Timestamp
ISO 8601 UTC timestamp
User-Agent
WhiteIntel-Webhook
Signature Generation (example)
// Pseudo-code for generating the HMAC signature
signature = base64(HMAC_SHA256(timestamp, secret_key))
📬 Events & Payload Structure
Webhook notifications are triggered for the following types based on your watchlist:
consumer
corporate
email
ip
hostname
Sample Payload: consumer
consumer
{
"type": "consumer",
"value": "example.com",
"description":"As part of WhiteIntel's dark web surveillance, the specified consumer accounts have been found exposed in stolen credentials.",
"count": 8,
"usernames": [
["[email protected]", 5],
["[email protected]", 3]
],
"event_date": "2025-04-10 12:00:00",
"source": "watchlist_monitor"
}
Sample Payload: corporate
corporate
{
"type": "corporate",
"value": "internal.corp.com",
"description":"As part of WhiteIntel's dark web surveillance, the specified corporate accounts have been found exposed in stolen credentials.",
"count": 5,
"usernames": [
["[email protected]", 2],
["[email protected]", 1]
],
"event_date": "2025-04-10 12:00:00",
"source": "watchlist_monitor"
}
Sample Payload: email
email
{
"type": "email",
"value": "[email protected]",
"description": "As part of WhiteIntel's dark web surveillance, the specified email address has been found exposed in stolen credentials.",
"count": 2,
"usernames": [
["[email protected]", 2]
],
"event_date": "2025-04-10 06:00:00",
"source": "watchlist_monitor"
}
Sample Payload: ip
ip
{
"type": "ip",
"value": "192.0.2.1",
"description": "As part of WhiteIntel's dark web monitoring, the following IP addresses have been identified as compromised by stealer malware.",
"count": 1,
"event_date": "2025-04-10 08:00:00",
"source": "watchlist_monitor"
}
Sample Payload: computername
computername
{
"type": "hostname",
"value": "DESKTOP-HACKED01",
"description": "As part of WhiteIntel's dark web monitoring, the specified Computer name have been identified as compromised by stealer malware.",
"count": 1,
"event_date": "2025-04-10 07:00:00",
"source": "watchlist_monitor"
}
Webhook Simulation
In order to simulate webhook calls before deploying to production, visit your Webhook page on WhiteIntel platform.

Last updated