Risk assessment updated

VerifiMe sends a POST request to your configured HTTPS endpoint whenever a risk assessment status changes. Register your endpoint via the Webhooks page in the developer portal.

Signature verification: Each request includes an X-VerifiMe-Signature header containing the HMAC-SHA256 hex digest of the raw request body, signed with your webhook secret.

To verify:

Read the raw request body before parsing JSON
Compute HMAC-SHA256 of the raw body using your shared secret
Compare your digest to the X-VerifiMe-Signature header value using constant-time comparison
Return 401 if the signatures do not match. This permanently stops delivery for the event.

Idempotency: Use eventId to deduplicate events. VerifiMe may deliver the same event more than once during retries.

Processing: Only process events where assessmentStatus is ASSESSED. Ignore PENDING and PRELIMINARY events.

Timeout: Respond within 30 seconds. Requests that exceed this are treated as timeouts and trigger the retry path.

Retry behaviour:

Response	VerifiMe action
`2xx`	Accepted - no retry
`401`	Invalid signature - delivery permanently stopped
`408` / `5xx` / timeout	Retried with exponential backoff (15-minute interval, max 5 attempts, then dead-letter queue)
`429` / `503` + `Retry-After`	Retried after the specified delay (max 12 hours)
`429` / `503` without `Retry-After`	Retried with exponential backoff
Other `4xx` (except `408`, `429`)	Permanent failure - no retry

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

eventId*string

Unique event identifier. Use this to deduplicate events delivered more than once during retries.

Formatuuid

eventName*string

Always RISK_ASSESSMENT_UPDATED

Value in"RISK_ASSESSMENT_UPDATED"

customerName*string

Verified entity name (person, company, trust, or fund)

assessmentStatus*string

Current state of the assessment.

PENDING: assessment queued but not yet started - ignore this event
PRELIMINARY: partial assessment in progress - ignore this event
ASSESSED: assessment complete, risk level calculated - process this event

Value in"PENDING" | "PRELIMINARY" | "ASSESSED"

riskLevel*string

Calculated risk level. UNKNOWN when assessmentStatus is not ASSESSED.

UNKNOWN: risk level not yet determined
LOW: minimal risk detected based on assessment rules
MEDIUM: moderate risk factors present
HIGH: significant risk factors identified
EXTREME: maximum risk level - multiple serious risk factors

Value in"UNKNOWN" | "LOW" | "MEDIUM" | "HIGH" | "EXTREME"

assessmentPortalUrl*string

URL to the full assessment in the VerifiMe client portal

Formaturi

eventTimestamp*string

ISO 8601 timestamp of when the event was generated

Formatdate-time

metadata?string

The referenceData value from the original invite call. Empty string if no referenceData was provided.

Response Body

Example Requests

POST/RISK_ASSESSMENT_UPDATED

Request Body

Response Body

200

401

429

503

Request Bodyapplication/json