PgBeam Docs

Webhook Events

The full set of webhook event types PgBeam delivers, when each one fires, and the payload shape you receive.

Audit export delivers events to a webhook endpoint as they happen. This page enumerates every event type you can subscribe to, when each one fires, and the fields in its payload. Subscribe to a subset with event_types (the CLI --event flag), or omit it to receive all of them.

Event types

event_typeFires when
query_blockedA statement is rejected by policy (allowlist, read-only, and so on).
budget_exhaustedA credential hits its query or row budget.
kill_switchA credential or project kill-switch is tripped.
maskedA result is returned with one or more masked columns.
migration_flaggedA DDL statement is flagged by the safe-migration linter.
approval_requestedA write or DDL is held for approval.
anomaly_alertAnomaly detection raises an alert.

A separate webhook.test event is sent only when you use Send test event on an endpoint. You do not subscribe to it, and it never fires from live traffic.

Envelope

Every delivery in the native json format shares the same envelope. The event-specific fields live under data.

Envelope
{
  "id": "whd_2a9f1c",
  "type": "query_blocked",
  "project_id": "prj_abc",
  "occurred_at": "2026-06-13T09:24:11.512Z",
  "data": {}
}
FieldDescription
idStable event id. Use it to de-duplicate retried deliveries.
typeThe event type, one of the values above.
project_idThe project the event belongs to.
occurred_atWhen the underlying event happened (RFC 3339).
dataEvent-specific fields, documented per event type below.

The SIEM formats (splunk_hec, datadog, elastic) wrap these same fields in the shape that product expects.

Audit-derived events

query_blocked, budget_exhausted, masked, migration_flagged, and approval_requested all come from the audit log. They share the same data shape; the event field inside data tells you which underlying audit event it was.

query_blocked data
{
  "audit_id": "aud_9f2c",
  "credential_id": "agent_4f2c",
  "region": "us-east-1",
  "event": "blocked",
  "sql": "DELETE FROM users",
  "normalized_sql": "DELETE FROM users",
  "query_hash": "8c1f0a2b3d4e5f60",
  "statement_kind": "delete",
  "decision_rule": "read_only",
  "reason": "policy is read-only: DELETE is not allowed",
  "rows_returned": 0,
  "bytes_out": 0,
  "latency_ms": 4.2,
  "client_ip": "203.0.113.10",
  "session_id": "sess_71ab",
  "source": "mcp"
}
FieldDescription
audit_idId of the audit-log entry this event came from.
credential_idThe credential that ran the statement.
regionRegion that served the statement.
eventThe underlying audit event (for example blocked, masked).
sqlThe statement, as parsed.
normalized_sqlThe statement with literals stripped.
query_hashHash of the normalized statement.
statement_kindThe statement kind (for example select, delete).
decision_ruleThe rule that produced the decision.
reasonWhy it was blocked, masked, or held.
rows_returnedRows returned to the agent, after masking and row caps.
bytes_outBytes returned.
latency_msTime to serve the statement.
client_ipThe agent's source IP.
session_idThe wire session the statement ran in.
sourceWhere the statement came from: a connection string or MCP.

The kill_switch type also fires from the audit stream when a statement is killed mid-flight, with the same data shape as above.

kill_switch (project)

When a project kill-switch is engaged from the control plane, the event carries a compact payload rather than a per-statement one:

kill_switch data (project engage)
{
  "project_id": "prj_abc",
  "agents_disabled": true,
  "reason": "project_kill_switch_engaged"
}
FieldDescription
project_idThe project whose kill-switch was engaged.
agents_disabledtrue while agent connections are blocked.
reasonWhy the kill-switch fired.

anomaly_alert

Raised by anomaly detection when a credential drifts from its baseline.

anomaly_alert data
{
  "id": "ano_5c7d",
  "project_id": "prj_abc",
  "credential_id": "agent_4f2c",
  "kind": "egress_spike",
  "severity": "high",
  "title": "Egress well above baseline",
  "details": {},
  "window_start": "2026-06-13T08:00:00Z",
  "window_end": "2026-06-13T09:00:00Z"
}
FieldDescription
idThe anomaly alert id.
project_idThe project the alert belongs to.
credential_idThe credential the alert is about.
kindThe signal that tripped: volume_spike, egress_spike, new_query_shape, off_hours, or error_spike.
severityThe alert severity.
titleA short human-readable summary.
detailsSignal-specific detail (varies by kind).
window_startStart of the window the alert was computed over (RFC 3339).
window_endEnd of that window (RFC 3339).

webhook.test

Sent by Send test event so you can verify a receiver before relying on it.

webhook.test data
{
  "message": "PgBeam test event",
  "endpoint_id": "whk_...",
  "format": "json"
}

On this page