Skip to content

Alerts & Notifications

Configure email and webhook notifications to stay informed about expiring credentials, failed operations, and security events.

Overview

CertifyClouds alerts keep your team notified:

  • Multiple channels: Email, Slack, Microsoft Teams, PagerDuty, custom webhooks
  • Alert types covering discovery, rotation, sync, and B2C events
  • Delivery modes: Immediate (on trigger), scheduled digest, or both
  • Flexible scheduling: Configure when digests are sent
  • Subscription filtering: Scope alerts to specific Azure subscriptions

Alert Types

Discovery Alerts

Alert Type Trigger Severity
secret_expiring Any Key Vault asset (secret, certificate, or key) expires within threshold Warning
secret_expired Any Key Vault asset (secret, certificate, or key) has already expired Critical
scan_completed Discovery scan finished Info
vault_error Error accessing Key Vault Error

Rotation Alerts (PRO + ENTERPRISE)

Alert Type Trigger Severity
rotation_success Credential successfully rotated Info
rotation_failed Rotation attempt failed Error

Sync Alerts (PRO + ENTERPRISE)

Alert Type Trigger Severity
sync_success Secret synced to target cloud Info
sync_failed Sync operation failed Error
sync_conflict Conflicting versions detected during sync Warning

B2C Alerts (PRO + ENTERPRISE)

Alert Type Trigger Severity
b2c_credentials_expiring B2C tenant credential expires within threshold Warning

Notification Channels

Email

Send alerts to individuals or distribution lists.

Configuration (Settings > Alerts):

  1. Click Add Rule
  2. Select alert type (e.g., secret_expiring)
  3. Choose Email delivery
  4. Enter recipient(s)
  5. Set threshold (for expiring alerts)
  6. Save

SMTP Setup Required:

Configure email in your environment:

SMTP_HOST=mail.smtp2go.com
SMTP_PORT=2525
SMTP_USERNAME=<your-username>
SMTP_PASSWORD=<your-password>
SMTP_FROM_EMAIL=alerts@yourcompany.com

SENDGRID_API_KEY=<YOUR_SENDGRID_API_KEY>
SENDGRID_FROM_EMAIL=alerts@yourcompany.com

Slack

Post alerts to Slack channels using incoming webhooks.

Setup:

  1. In Slack, create an Incoming Webhook:
  2. Go to your Slack workspace settings
  3. Apps > Manage > Custom Integrations > Incoming Webhooks
  4. Create webhook and copy URL
  5. In CertifyClouds:
  6. Settings > Alerts > Add Rule
  7. Select Webhook delivery
  8. Choose type: Slack
  9. Paste webhook URL
  10. Save

Payload Format: 

{
  "attachments": [
    {
      "color": "#EF4444",
      "title": "Secret Expiring Alert",
      "text": "Found 3 secrets expiring within 30 days",
      "footer": "CertifyClouds",
      "fields": [
        {"title": "Vault", "value": "kv-production", "short": true},
        {"title": "Secrets", "value": "api-key, db-password", "short": true}
      ]
    }
  ]
}

Microsoft Teams

Post to Teams channels using Incoming Webhooks.

Setup:

  1. In Teams, create an Incoming Webhook:
  2. Go to channel settings > Connectors
  3. Add Incoming Webhook
  4. Copy webhook URL
  5. In CertifyClouds:
  6. Settings > Alerts > Add Rule
  7. Select Webhook delivery
  8. Choose type: Teams
  9. Paste webhook URL
  10. Save

Payload Format: 

{
  "@type": "MessageCard",
  "@context": "https://schema.org/extensions",
  "themeColor": "EF4444",
  "title": "Secret Expiring Alert",
  "text": "Found 3 secrets expiring within 30 days",
  "sections": [
    {
      "facts": [
        {"name": "Vault", "value": "kv-production"},
        {"name": "Secrets", "value": "api-key, db-password"}
      ]
    }
  ]
}

Generic Webhook

For custom integrations not covered by Slack / Teams / PagerDuty.

Payload Format: 

{
  "title": "Secret Expiring Alert",
  "message": "Found 3 secrets expiring within 30 days",
  "color": "#EF4444",
  "timestamp": "2026-05-20T12:00:00+00:00",
  "source": "CertifyClouds",
  "fields": [
    {"title": "Vault", "value": "kv-production"},
    {"title": "Secrets", "value": "api-key, db-password"}
  ]
}

For Slack and Microsoft Teams payload shapes see Webhook Delivery.

PagerDuty (1.4.14)

Page on-call directly via the PagerDuty Events API v2. CertifyClouds posts to https://events.pagerduty.com/v2/enqueue (hardcoded server-side); the per-service Integration Key is the credential.

Setup

  1. In PagerDuty: Services → Service Directory → New Service → "Events API v2" integration. Name it "CertifyClouds".
  2. Copy the 32-character Integration Key.
  3. In CertifyClouds: Settings → Alerts → New Rule → Webhook → Type: PagerDuty, paste the Integration Key in the "Routing Key" field.
  4. Click Test webhook. A test incident appears in PagerDuty.

Severity mapping

CertifyClouds maps each alert type to a PagerDuty severity:

CertifyClouds alert type PagerDuty severity
secret_expired critical
rotation_failed, sync_failed, vault_error error
secret_expiring, sync_conflict, b2c_credentials_expiring warning

Routine completion events filtered

rotation_success, sync_success, scan_completed, discovery_completed are not forwarded to PagerDuty by design - PagerDuty is for paging, not log stream. Use email / Slack / Teams for routine confirmations.

Dedup key

CertifyClouds derives a stable dedup key per alert (e.g. cc:secret_expired:kv-prod:client-secret) so repeated alerts about the same resource collapse into one PagerDuty incident rather than flooding the on-call.

Networking requirement

CertifyClouds must reach events.pagerduty.com:443 outbound. If your deployment sits behind an egress proxy or in an air-gapped network, this hostname must be allow-listed; CertifyClouds does not currently support proxy-routed PagerDuty delivery.

Payload sent

{
  "routing_key": "<your-integration-key>",
  "event_action": "trigger",
  "dedup_key": "cc:secret_expired:kv-prod:client-secret",
  "client": "CertifyClouds",
  "payload": {
    "summary": "Secret expired in kv-prod",
    "source": "CertifyClouds",
    "severity": "critical",
    "timestamp": "2026-05-20T15:00:00+00:00",
    "component": "secret_expired",
    "custom_details": {
      "message": "1 secret has expired and requires immediate rotation",
      "alert_type": "secret_expired",
      "fields": [
        {"name": "Vault", "value": "kv-prod"},
        {"name": "Secret", "value": "client-secret"}
      ]
    }
  }
}

Delivery Modes

Immediate

Alerts sent on the next evaluator tick after the triggering event.

Best for:

  • Critical alerts (expired secrets)
  • Rotation failures
  • Security events

Digest

Alerts batched and sent on a schedule.

Best for:

  • Warning-level alerts (expiring soon)
  • Reducing notification fatigue
  • Non-urgent monitoring

Both

Send critical alerts immediately AND include in digest.

Scheduling

Digest Schedule

Configure when digest emails are sent:

Schedule Description
Daily 8:00 AM Once per day
Daily 9:00 AM + 5:00 PM Twice per day
Weekly Monday 9:00 AM Weekly summary

Configure Schedule

  1. Go to Settings > Alerts
  2. Click Digest Settings
  3. Select timezone
  4. Set delivery times
  5. Save

Creating Alert Rules

Step-by-Step

  1. Navigate: Settings > Alerts
  2. Add Rule: Click "Add Rule" button
  3. Configure:
  4. Name: Descriptive rule name
  5. Alert Type: What triggers the alert
  6. Threshold: Days before expiry (for expiring alerts)
  7. Delivery: Email, Webhook, or both
  8. Mode: Real-time, Digest, or Both
  9. Recipients/URL: Destination for alerts
  10. Filter (optional):
  11. Specific subscriptions
  12. Specific vaults
  13. Asset types
  14. Save: Enable and save the rule

Example Rules

Critical: Expired secrets (real-time)

  • Type: secret_expired
  • Delivery: Email + Slack
  • Mode: Real-time
  • Recipients: security-team@company.com

Warning: Secrets expiring in 30 days (digest)

  • Type: secret_expiring
  • Threshold: 30 days
  • Delivery: Email
  • Mode: Digest (daily)
  • Recipients: ops-team@company.com

Info: Rotation success (real-time)

  • Type: rotation_success
  • Delivery: Teams webhook
  • Mode: Real-time

Testing Alerts

Test Button

Each alert rule has a "Test" button:

  1. Go to Settings > Alerts
  2. Find the rule to test
  3. Click Test
  4. Verify notification received

Programmatic test

POST /api/alerts/rules/{id}/test dispatches a test notification through the rule's configured channel. Request and response shapes are in your deployment's /docs.

Alert History

View all sent alerts:

  1. Go to Alerts tab
  2. Click History
  3. Filter by:
  4. Date range
  5. Alert type
  6. Delivery status

Statuses

Status Description
Delivered Successfully sent
Failed Delivery failed (check logs)
Pending In digest queue
Retrying Retry in progress

Retry Logic

Failed webhook deliveries are retried with exponential backoff. 2xx responses are treated as success; 4xx responses (except 408 / 429) are treated as permanent client errors and not retried; 5xx, 408, 429, timeouts, and connection errors are retried. Persistent failures eventually mark the alert as failed and surface in the rule's delivery history.

See Webhook Delivery for the receiver payload shapes.

Troubleshooting

Emails not received

  1. Check SMTP configuration in environment variables
  2. Verify recipient email address
  3. Check spam/junk folder
  4. Review application logs for errors

Webhook failures

  1. Verify webhook URL is correct
  2. Check if endpoint is accessible from CertifyClouds
  3. Ensure endpoint accepts POST requests
  4. Check for firewall/network restrictions

Duplicate notifications

  1. Check for overlapping rules
  2. Review threshold settings
  3. Ensure you don't have both real-time AND digest for the same alert

API access

Alert rules can be managed programmatically via /api/alerts/rules and delivery history queried via /api/alerts/history. The full endpoint catalogue is in API Endpoints; exact request and response shapes are in your deployment's /docs.

Best Practices

  1. Don't over-alert: Use digests for warnings, real-time for critical
  2. Route appropriately: Send security alerts to security team, ops alerts to ops
  3. Test regularly: Use the test button to verify delivery
  4. Monitor failures: Check alert history for delivery issues
  5. Use thresholds wisely: 30 days gives time to act without noise