Recipes
Webhook Automation
Register a webhook once, verify signatures, fan out to the chat tool or automation runner you already use.
Register once#
Subscribe to facility events with the standard `/v1/webhooks` POST. CribScore returns a signing secret — store it in your relay's secret manager.
curl -X POST "https://api.cribscore.co/v1/webhooks" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"facility_id": "fac_01HZ8X9K2D7N3M5P0AYR4FTC2W",
"callback_url": "https://automation.example.com/cribscore",
"events": ["score_change", "license_change", "violation_recorded"]
}'Verify before fan-out#
Every delivery includes `X-CribScore-Signature` (HMAC-SHA256). Verify before doing anything — especially before posting to chat where a forged payload could embarrass operators.
import crypto from "node:crypto";
const SIGNING_SECRET = process.env.CRIBSCORE_WEBHOOK_SECRET ?? "";
export function verifyCribscoreSignature(rawBody: string, header: string): boolean {
const expected = crypto
.createHmac("sha256", SIGNING_SECRET)
.update(rawBody)
.digest("hex");
const a = Buffer.from(expected, "hex");
const b = Buffer.from(header.replace(/^sha256=/, ""), "hex");
return a.length === b.length && crypto.timingSafeEqual(a, b);
}Fan out to Slack / Teams / email#
After signature verification, transform the payload into your tool's message format. CribScore ships starter templates so you do not have to author the mapping from scratch.
- Slack incoming webhook → https://www.cribscore.co/automation/slack-incoming-webhook.json
- Microsoft Teams → https://www.cribscore.co/automation/teams-webhook.json
- Email relay → https://www.cribscore.co/automation/email-relay.json
n8n / Zapier / Make#
If you do not want to host a relay, use the n8n starter — drop the webhook URL into an n8n trigger and you have a working pipeline with field mappings baked in.
- n8n starter: https://www.cribscore.co/automation/n8n-starter.json