Alerts
Real-time notifications for vault events via email and webhooks.
Alerts notify you when specific events happen in your vault. Two delivery channels are available: email notifications sent to your account email, and webhooks that POST signed JSON payloads to your own HTTP endpoints.
Both channels use the same underlying event system. Every alertable action has a category and a severity level. You choose which actions trigger notifications on each channel independently.
Channels
| Channel | Delivery | Plan requirement |
|---|---|---|
| Sends a formatted email to your account email address | Paid plan | |
| Webhooks | POSTs a signed JSON payload to your HTTPS endpoint | Paid plan |
Email alerts and webhooks are configured separately. Enabling an action for email does not enable it for webhooks, and vice versa.
Event Categories
Actions are grouped into six categories:
| Category | Actions |
|---|---|
| Secrets | secret_create, secret_update, secret_delete, secret_read, secret_read_denied, secret_rotate, secret_rotate_denied, secret_note_update |
| Machines | bootstrap_token_create, machine_register, machine_approve, machine_deny, machine_revoke, machine_rename |
| Projects | project_create, project_update, project_delete, project_machine_add, project_machine_remove |
| Authentication | auth_failure, login_success, oauth_login, user_register, permission_grant, permission_revoke, 2fa_enable, 2fa_disable, password_change |
| Teams | team_invite, team_invite_accepted, team_invite_declined, team_invite_cancelled, team_joined, team_member_remove, team_permission_update |
| Sessions | session_revoke, session_revoke_all |
Severity Levels
Every action has a fixed severity level:
| Severity | Meaning | Examples |
|---|---|---|
| Critical | Active compromise indicator | auth_failure, project_delete, 2fa_disable |
| High | Significant security change | machine_register, machine_revoke, secret_delete, secret_read_denied, permission_grant, password_change |
| Medium | Access or trust boundary changed | machine_deny, project_machine_add, project_machine_remove, team_invite, team_permission_update |
| Low | Routine administrative change | machine_approve, bootstrap_token_create |
| Info | Normal operation | secret_read, secret_create, login_success, secret_rotate |
How Alerts Fire
When an auditable action occurs, the backend writes to the audit log and then calls the alert dispatcher. The dispatcher:
- Sends the event to the webhook dispatcher, which delivers to all matching webhooks for the user (independent of email preferences)
- Checks if the user has an email alert enabled for that action, and sends the email if so
Both channels run asynchronously and never block the operation that triggered them.