How fast are webhook events delivered?

Events are typically delivered within a second of the verification completing. P99 delivery latency is under 5 seconds. We don't guarantee strict ordering — use event timestamps and IDs to reorder if your pipeline is order-sensitive.

What happens if my endpoint is down?

Failed deliveries retry with exponential backoff for up to 24 hours. After that, the event is marked failed and can be replayed manually from the dashboard. We recommend ingesting events into a queue or log for full audit history.

How do I prevent replay attacks?

Every event has a unique id and a created_at timestamp. Reject any event whose id you've seen before or whose timestamp is older than your tolerance window (we recommend 5 minutes). Combined with signature verification, this makes replay attacks practically impossible.

Can I subscribe to specific event types?

Yes. Each webhook endpoint is configured with the event types it should receive. Common subscriptions: verification.completed (all), verification.flagged (failures and manual-review), verification.failed (errors only).

Can I test webhooks before going live?

Yes. The dashboard has a 'Send test event' button that lets you trigger a synthetic event of each type. You can also use any tunneling tool (ngrok, Cloudflare Tunnel) during development.

VerifyAI Webhooks

Get verification events delivered to your backend in real time. Signed payloads, automatic retries, replay protection, and ready-to-go handlers for Node, Python, and Ruby.

Try Live Demo Contact Sales

Quick Start

1. Install

bash

# 1. Create a webhook endpoint in the VerifyAI dashboard:
#    Settings -> Webhooks -> Add endpoint
#
# 2. Subscribe to events you care about:
#    - verification.completed
#    - verification.flagged
#    - verification.failed
#
# 3. Copy the signing secret. You'll use it to verify incoming payloads.

2. Use

javascript

// Express example
import express from 'express';
import crypto from 'crypto';

const app = express();

app.post(
  '/webhooks/verifyai',
  express.raw({ type: 'application/json' }),
  (req, res) => {
    const signature = req.header('VerifyAI-Signature');
    const expected = crypto
      .createHmac('sha256', process.env.VERIFYAI_WEBHOOK_SECRET)
      .update(req.body)
      .digest('hex');

    if (signature !== expected) {
      return res.status(401).send('Invalid signature');
    }

    const event = JSON.parse(req.body.toString());

    switch (event.type) {
      case 'verification.completed':
        handleCompletion(event.data);
        break;
      case 'verification.flagged':
        handleFlagged(event.data);
        break;
    }

    res.status(200).send('ok');
  }
);

Features

Signed Payloads

Every webhook is signed with HMAC-SHA256 using your endpoint's secret. Verify signatures to prevent spoofing and tampering.

Automatic Retries

Failed deliveries retry with exponential backoff for up to 24 hours. You only need to be available — VerifyAI handles transient outages.

Event Filtering

Subscribe per-endpoint to only the events you need: completions, flagged, failed, manual-review, or all events.

Replay Protection

Timestamped events with monotonic IDs let you detect and discard replays. Idempotency is built into the design.

Dashboard Replay

Re-deliver any past event from the dashboard. Useful when debugging or when an endpoint was down longer than the retry window.

Multiple Endpoints

Configure multiple endpoints per project for different environments, services, or downstream consumers (CRM, ops, billing).

Code Examples

Requirements

A public HTTPS endpoint that can receive POST requests
Ability to verify HMAC-SHA256 signatures with your endpoint's secret
VerifyAI API key with webhook configuration enabled
Idempotent processing (we may deliver an event more than once)

Frequently Asked Questions

Stream Verification Events to Your Stack

Signed, retried, replay-protected webhooks for any backend. Start your free sandbox today.