Webhooks

Webhook Setup

Configure your webhook endpoint and verify HMAC signatures

Webhook Configuration

You must provide a publicly accessible HTTPS endpoint to VerifiMe during onboarding.

Requirements:

Must be HTTPS (SSL/TLS required)
Must be publicly accessible from the internet
Must return HTTP 200 within 10 seconds
Must handle POST requests

Webhook Security

Every webhook includes an HMAC-SHA256 signature in the request header.

Headers:

Header	Description
`X-VerifiMe-Signature`	HMAC-SHA256 hex digest of request body
`X-VerifiMe-Version`	Webhook schema version (currently "1")
`Content-Type`	`application/json`

Verification Process:

Receive raw request body (do not parse JSON yet)
Compute HMAC-SHA256 hash of raw body using your shared secret
Compare computed hash with X-VerifiMe-Signature header
If signatures don't match, return HTTP 401 and stop processing
Only process the webhook if the signature is valid

Always use constant-time comparison when validating signatures to prevent timing attacks.

Widget Integration

Embed the VerifiMe verification widget in your application

Event: RISK_ASSESSMENT_UPDATED

Webhook payload for completed risk assessments

On this page

Webhook Configuration Webhook Security