Event catalog
Webhook events are shared between User and Business sessions — thesession_kind field on the payload tells you which kind the event refers to. Entity-level events are separate from session-level events.
Session-level events
| Event | When it fires |
|---|---|
status.updated | A session’s status changed. For Business Verification (KYB) sessions the payload carries session_kind: "business". |
data.updated | A session’s data was updated (registry refresh, key-people submission, document upload, AML rescan). Payload includes session_kind: "business" for KYB sessions. |
Business entity events
| Event | When it fires |
|---|---|
business.status.updated | The linked Business entity’s status changed (ACTIVE / FLAGGED / BLOCKED). |
business.data.updated | The Business entity’s profile fields or aggregate counters changed. |
Envelope
Every webhook uses the same top-level envelope. Thesession_kind field inside data discriminates between User Verification (KYC) and Business Verification (KYB) for session-level events.
Payload shapes
status.updated — Business Verification (KYB) session
Fires when a KYB session’s status transitions.
decision block contains the same shape as GET /v3/session/{id}/decision/ — registry_checks[], key_people_checks[], document_verifications[], aml_screenings[], etc.
data.updated — Business Verification (KYB) session
Fires when session data (registry, key people, documents, AML) changed without a status transition.
changed_fields to efficiently decide what to re-fetch.
business.status.updated
Fires when the Business entity moves between ACTIVE, FLAGGED, or BLOCKED.
business.data.updated
Fires when the Business entity’s profile fields or aggregate counters change.
Signature verification
All webhooks are signed HMAC-SHA256 with your destination’s shared secret, sent in theX-Didit-Signature header. Verify the raw request body before acting.
Example (Node.js):
Retry policy
- Non-2xx responses trigger retries with exponential backoff.
- Up to 5 retries over ~24 hours.
- Each retry gets a new
X-Didit-Deliveryheader but the sameevent_id— de-duplicate on your side. - Repeated failures flip the destination to
disabled.
Subscribing
Subscribe to the events you care about on a webhook destination:data.session_kind === "business" inside status.updated and data.updated events.
Next steps
Webhooks reference
Destinations, signing, retries, common patterns.
Statuses
Session and feature status reference.
Response schema
Decoding the KYB decision payload.