Webhooks for Tuist Events

If your team has wanted Tuist to push events into Slack, Jira, your incident tool, or any internal automation, you’ve probably had to write a polling job against the Tuist API to do it. As of the 2026.05.15 release, you don’t have to: Tuist now ships outbound webhooks as a first-class account resource.

Register an HTTPS endpoint from the dashboard, tick the events you care about, and Tuist takes care of signing each request, retrying transient failures, and keeping a per-delivery audit log you can inspect later.

image2180×1666 191 KB

What’s in this release

• Events you can subscribe to. test_case.created, test_case.updated (covers transitions like marked_flaky, muted, unskipped), preview.created, and preview.deleted. The create modal groups them by resource so you can subscribe per family or per individual event.
• Signed payloads. Every request carries a Tuist-Signature: t=<ts>,v1=<hex> header, HMAC-SHA256 over "<unix_ts>.<raw_json>", with a 5-minute replay tolerance. Receivers verify against a per-endpoint signing secret you can rotate at any time.
• Retries with backoff. Up to 7 attempts on a 1m, 5m, 30m, 2h, 8h, 24h schedule. Edits to the URL or a secret rotation take effect on the next attempt.
• Delivery dashboard. Each endpoint has its own page with a Total / Failed deliveries chart, a filterable events table, and a per-event detail view showing the exact request body, request headers, response status, and response body Tuist sent and received. Useful both for debugging your receiver and for proving to auditors that an event was delivered.
• SSRF-safe by default. Loopback, private, link-local, and cloud-metadata destinations are rejected before any bytes leave the process, and the rejection is recorded as a failed attempt so you can see it on the dashboard.

How to get started

1. Open your account’s Webhooks tab in the dashboard.
2. Click Add endpoint, paste your HTTPS URL, pick the events.
3. Copy the tuist_webhook_… signing secret on creation (it’s shown once).
4. Verify the Tuist-Signature header on incoming requests using the snippet in the Webhooks guide.

For each supported event, the exact payload shape is documented on tuist.dev/api/docs under the Webhook events section.

Do I need to do anything?

No. Webhooks are opt-in: nothing changes for existing accounts unless you register an endpoint. If you’re self-hosted, the same feature is available on the next release.

As always, feedback is very much welcome. If your team has an event you’d like to subscribe to that isn’t on the list yet, let us know which one and what you’d hook it up to.

Learn more

• Pull request: tuist/tuist#10748
• Changelog entry: 2026.05.15 Webhooks
• Integration guide: Webhooks
• Payload reference: Webhook events on tuist.dev/api/docs