A destination delivers to either a webhook URL or a Slack channel. Both use the same event types and minimum-priority filtering described on this page. Slack destinations post through LangSmith’s managed Slack app instead of sending the JSON payload below, so the signing secret and custom headers do not apply.To set up Slack delivery, see Notify a Slack channel. The rest of this page documents webhook URL destinations.
Delivery
LangSmith sends aPOST request with a JSON body to your webhook URL. The request uses Content-Type: application/json and includes any custom headers you attached to the subscription.
Retries deliver a byte-identical payload, including the same
id. Dedupe on id so a retried delivery does not produce a duplicate downstream effect.Custom headers
You can attach arbitrary headers to each subscription (for example,Authorization: Bearer …) to authenticate the caller at your endpoint. Content-Type is always set by LangSmith and cannot be overridden.
Signing secret
Each subscription has a signing secret. LangSmith uses this secret to sign the raw webhook request body and sends the result in theX-LangSmith-Signature header.
The header value has this format:
Roll a signing secret
Roll a signing secret when it may have been exposed, or when your organization’s credential rotation policy requires a new secret. To roll a secret, open the subscription row in Engine Settings, click Roll signing secret, and confirm. LangSmith generates a new signing secret and uses it for future webhook deliveries immediately. The previous secret stops signing deliveries as soon as the roll completes. After rolling the secret, update every consumer that verifiesX-LangSmith-Signature with the new value.
Severity filtering
Each subscription has aseverity_threshold from 0 to 3. For issue events, an event is delivered only when the issue’s severity is less than or equal to the threshold. Lower numbers are more urgent.
For example, a subscription with
severity_threshold: 1 receives events for URGENT (0) and HIGH (1) issues only.
Severity thresholds do not apply to issue.agent_run.failed, because run-failure events are scoped to an Engine session rather than to a specific issue.
Event-type filtering
Each subscription specifies the event types it wants to receive. Subscriptions created without an explicit list default to["issue.created"].
Event envelope
Every event delivered to your endpoint uses the same outer JSON shape.Issue data.object
For issue.created and issue.trace.added, data.object is a snapshot of the issue. Treat it as the authoritative state of the issue at the time the event was generated.
Run failure data.object
For issue.agent_run.failed, data.object describes the Engine run that failed.
data.trace
data.trace is included only on issue.trace.added events.
Batch coalescing
A single upstream action can produce multiple webhook events. When Engine opens a new issue and attaches five traces to it, you receive oneissue.created event and five issue.trace.added events, all sharing the same request_id. Use request_id to group these into a single downstream notification.
Event types
The event types below are the complete set LangSmith Engine sends today. New types may be added in the future, so handlers should ignore unknowntype values rather than failing.
issue.created
Sent when LangSmith Engine creates a new issue. data.trace is omitted.
issue.trace.added
Sent when a new trace is linked to an existing issue. data.trace describes the linked trace.
issue.agent_run.failed
Sent when LangSmith Engine fails to complete a run. This event is session-scoped, so it does not include data.trace and does not use severity filtering.
Test your endpoint
Before pointing a real subscription at your endpoint, send a sample payload to verify it accepts and acknowledges within the 20-second timeout:issue.created as sample-issue-created.json. Verify that:
- The custom
Authorizationheader arrives and matches the secret you configured on the subscription. - The handler persists the event keyed by its
idso retries are deduped. - The handler returns
2xxbefore kicking off slow downstream work.
Security
- Webhook URLs are validated when the subscription is created and again at delivery time. Private and metadata IP ranges are blocked in SaaS. Both
http://andhttps://are accepted; usehttps://so the payload and any custom headers are not sent in cleartext. - LangSmith signs webhook bodies with the subscription’s signing secret. Verify
X-LangSmith-Signaturebefore processing the payload. - You can also set custom headers on the subscription, such as
Authorization: Bearer …, for routing or additional authentication at your endpoint. - Dedupe on the event
idso that a retried delivery does not cause a duplicate notification.
Best practices
- Acknowledge fast. Respond with
2xxas soon as you have persisted the event. Move slow work (fan-out, paging, downstream API calls) onto a queue so your handler stays within the 20-second timeout. - Tolerate unknown event types. Ignore
typevalues your handler does not recognize. New event types may be added without notice. - Tolerate new fields. Parse payloads with a permissive schema. New fields may be added to existing event types without notice.
Connect these docs to Claude, VSCode, and more via MCP for real-time answers.

