When does the Crawlux API ship?

The Crawlux API is planned for Q4 2026. Currently audits run via the Crawlux web dashboard with JSON output downloadable per audit. The API will allow programmatic audit triggering, status polling, webhook callbacks and result retrieval. Subscribe via the docs early-access waitlist to be notified when API access opens.

Can I get audit JSON output today?

Yes. Every Crawlux audit produces a JSON output downloadable from the audit dashboard. The JSON structure is documented on this page. Pro and Team tier audits also produce a white-label PDF report. Free tier audits produce a JSON output and a summary HTML report.

What authentication will the API use?

The API will use API key authentication via Bearer tokens. API keys will be generated from the Crawlux dashboard. Each API key gets scoped to a workspace and has configurable rate limits. Webhook callbacks will be authenticated via HMAC-SHA256 signatures using a shared secret.

Will SDKs be available?

Two SDKs are planned for the Q4 2026 launch. A Node.js SDK published to npm under the package name crawlux-sdk. A Python SDK published to PyPI under the package name crawlux. Both SDKs will provide typed wrappers around the REST API plus helpers for common patterns like polling for audit completion.

What rate limits will the API have?

Rate limits will scale with tier. Free tier: 5 audits per month. Pro tier: 50 audits per month. Team tier: 200 audits per month. Enterprise tier (custom pricing): unlimited audits with dedicated infrastructure. All tiers include unlimited result retrieval calls. Webhook callbacks count separately and are not rate-limited.

How can I get notified when the API ships?

Three ways. First, email developers@crawlux.com with subject API Waitlist to join the early access list. Second, follow the changelog page for product updates. Third, run a free audit and reply to any of the email follow-ups confirming developer interest. Early access opens approximately 2 weeks before public API launch.

Docs · Webhooks · Live today

Webhook payloads and signature verification.

Configure a webhook URL in the Crawlux dashboard. When an audit completes, Crawlux POSTs the full audit JSON to your endpoint. Useful for triggering downstream automation, populating CRM records or alerting agency teams. Pro and Team tiers only.

// How it works

Lifecycle of a webhook delivery.

An audit completes. Crawlux generates the audit JSON (documented in the audit JSON reference). The webhook system POSTs the JSON to your configured URL with an HMAC-SHA256 signature header. Your endpoint returns a 2xx status within 5 seconds to acknowledge receipt. If your endpoint returns non-2xx or times out, Crawlux retries up to 5 times over 24 hours with exponential backoff. Final failure after 5 retries marks the delivery as failed in your dashboard but does not affect the audit itself.

// Section 01 · Payload shape

Headers and body.

Every webhook POST carries five Crawlux headers plus the standard Content-Type. The body is the full audit JSON, identical to what you would download from the dashboard.

POST {your-webhook-url}

// Headers
Content-Type: application/json
X-Crawlux-Event: audit.completed
X-Crawlux-Signature: sha256=a4b8c92e3f1d7b6a8c5e9f2d1a4b7c8e9f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7
X-Crawlux-Audit-Id: aud_8f3k29vJ7nQ
X-Crawlux-Delivery: del_2HxJ4nP3kqM
X-Crawlux-Timestamp: 1714377407

// Body (full audit JSON, see /docs/audit-json/ for the full schema)
{
  "audit_id": "aud_8f3k29vJ7nQ",
  "version": "v3",
  "domain": "example-protocol.io",
  ...
}

// Section 02 · Signature verification

Always verify the signature before processing.

The X-Crawlux-Signature header is an HMAC-SHA256 computed using a shared secret you configured in the dashboard. The secret is the signing key; the message is the raw request body. Verify the signature before trusting the payload, otherwise anyone can POST forged audit JSON to your endpoint.

verify-webhook.js

const crypto = require("crypto");

function verifyCrawluxSignature(rawBody, signatureHeader, secret) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
  const received = signatureHeader.replace("sha256=", "");
  return crypto.timingSafeEqual(
    Buffer.from(expected, "hex"),
    Buffer.from(received, "hex")
  );
}

// In your Express handler
app.post("/webhooks/crawlux", (req, res) => {
  const sig = req.headers["x-crawlux-signature"];
  if (!verifyCrawluxSignature(req.rawBody, sig, process.env.CRAWLUX_WEBHOOK_SECRET)) {
    return res.status(401).send("invalid signature");
  }
  // Process the payload asynchronously and return 200 immediately
  queue.add("process-audit", req.body);
  res.status(200).send("ok");
});

// Section 03 · Events

Three event types fire on webhooks.

`audit.completed`

Fired when an audit finishes successfully. Payload contains the full audit JSON. Most common event for downstream automation. Use this to populate CRM records, trigger client reports, or alert internal channels.

`audit.failed`

Fired when an audit cannot complete. Payload contains the audit_id, the error code (see error reference) and the error message. Common causes: domain unreachable, robots.txt disallow, rate limit hit.

`audit.retried`

Fired when a failed audit gets automatically retried. Up to 3 retries with exponential backoff. Final failure after all retries produces audit.failed instead.

// Section 04 · Delivery guarantees

Reliability and retry semantics.

Crawlux retries webhook delivery up to 5 times over 24 hours if your endpoint returns non-2xx status or fails to respond within 5 seconds. Retry schedule uses exponential backoff: roughly 1 minute, 5 minutes, 30 minutes, 2 hours, then 6 hours. After 5 failed attempts the delivery is marked failed in your dashboard. You can manually retry from the dashboard for 7 days after the original event.

Always return a 2xx status quickly and process the payload asynchronously. Synchronous processing inside the webhook handler risks timeout, retry storms and duplicate processing. Recommended pattern: validate the signature, push the payload to a queue (Bull, SQS, Redis), return 200, process from the queue.

// Section 05 · Configuration

How to set up webhooks.

Webhook configuration lives in the Crawlux dashboard under Settings → Webhooks. Pro and Team tiers can configure unlimited webhooks per workspace. Each webhook gets: a URL, an array of event types to subscribe to, and a signing secret (auto-generated, displayed once at creation).

When the API ships in Q4 2026, webhooks can also be configured programmatically via POST /webhooks. Until then, configuration is dashboard-only.

// Related docs

Where to go from here.

Audit JSON output structure — full reference for the payload body
Error reference — for audit.failed event payloads
REST API reference — Q4 2026 endpoint surface including POST /webhooks
Docs overview — full developer reference index

Run a free audit and download the JSON

The fastest way to evaluate the audit JSON for integration: run a real audit on your own domain and inspect the output. Free first audit per domain.

Join API waitlist

JSON output live · Webhooks live · API Q4 2026 · 2-week early access window