Exports & integrations
API keys + webhooks (Enterprise)
1 min readUpdated May 22, 2026
Programmatic access
Enterprise plans unlock the REST API + webhook system.
Creating an API key
/dashboard/api-keys β "Create key" β copy the smw_pk_live_<32-byte-random> token. Shown only once β store in your secret manager.
- Keys are hashed at rest (bcrypt)
- Last-4 characters shown in UI for identification
- Per-key scope (workspace-bound, role-bound, IP-bound)
- Rate limit: 100 requests/minute per key, 10,000/day total
Calling the API
curl -H "Authorization: Bearer smw_pk_live_..." \
-H "Content-Type: application/json" \
https://api.slapmyweb.com/v1/audits/<audit-id>
Full endpoint list: /api-docs (interactive Swagger UI).
Webhooks
/dashboard/webhooks β "Add endpoint" β paste your HTTPS URL. We POST signed JSON payloads on these events:
audit.completedβ when a scan finishesscheduled_report.sentβ when a recurring report is deliveredscheduled_report.bouncedβ when a recipient bouncesshare_link.created,share_link.viewedβ share-link lifecycleworkspace.member_invited,workspace.member_joined
HMAC signature
Every webhook includes X-Slapmyweb-Signature: t=<ts>,v1=<hex> where hex = HMAC-SHA256(<webhook-secret>, "<ts>.<raw-body>"). Verify in your handler with constant-time comparison. t is unix-timestamp; reject if older than 5 minutes (replay protection).
Was this article helpful?
Still stuck? Our support team replies within 8 hours on weekdays.
More in Exports & integrations