Create Webhook Destination
Create a webhook destination. The response includes the auto-generated secret_shared_key HMAC signing secret (also readable later via GET /v3/webhook/destinations/{destination_uuid}/). Always send subscribed_events with at least one event (no wildcards): an explicit empty list is rejected with 400, and omitting the field creates a destination subscribed to nothing, which never receives a webhook. The (application, url) pair must be unique among non-deleted destinations.
secret_shared_key, webhook_version, and subscribed_events list.
How subscribed_events works
subscribed_events is a required array of exact event names. Didit delivers a webhook to this destination only when the payload’s webhook_type matches one of the values in the array.
- Include at least one event.
- Use only the supported event names below.
- Add every event you want delivered; there is no wildcard value like
*orall. - To route different product areas to different systems, create multiple destinations with different
subscribed_eventslists.
Event catalog
| Event | Subscribe when you need |
|---|---|
status.updated | User Verification (KYC) or Business Verification (KYB) session status changes. KYB payloads include session_kind: "business" and business_session_id. |
data.updated | Session verification data is corrected or updated after creation, such as reviewer edits to KYC, Proof of Address, or KYB data. |
user.status.updated | A User entity changes status, for example ACTIVE, FLAGGED, or BLOCKED. |
user.data.updated | A User entity profile, counters, metadata, documents, or aggregate verification fields change. |
business.status.updated | A Business entity changes status, for example after manual review, KYB results, or a blocklist action. |
business.data.updated | A Business entity profile, counters, metadata, registration fields, or aggregate verification fields change. |
activity.created | A timeline activity is recorded for a User, Business, external counterparty, session, or transaction. |
transaction.created | A Transaction Monitoring transaction is created and its initial rule evaluation is complete. |
transaction.status.updated | A transaction changes status after rules, analyst review, remediation, provider updates, or API/console actions. |
Authorizations
Body
Human-readable name displayed in Console → Webhooks. Helps distinguish destinations when you have several (e.g. "Prod", "Staging mirror").
255HTTPS URL that will receive POST requests. Must be unique per application among non-deleted destinations. Use a stable, hardened endpoint — Didit retries failed deliveries on a backoff schedule.
When false, the destination is saved but Didit will not push any webhooks to it. Useful for staging configs you want to keep parked.
Payload schema version Didit will send. v3 is the current/recommended format; older versions are kept for backward compatibility with legacy integrations.
v1, v2, v3 Events to deliver. Effectively required: an explicit [] is rejected with 400, and omitting the field creates a destination with no subscriptions that receives nothing.
1Supported webhook event name. Use these exact strings in subscribed_events; unsupported values are rejected.
status.updated, data.updated, user.status.updated, user.data.updated, business.status.updated, business.data.updated, activity.created, transaction.created, transaction.status.updated ["status.updated", "data.updated"]Response
Destination created. secret_shared_key is the HMAC signing secret — store it now.
Stable destination identifier. Use as {destination_uuid} in subsequent calls.
v1, v2, v3 Auto-generated HMAC signing secret bound to this destination (43-character URL-safe token). Use it to verify the signature headers on incoming webhooks. Always returned in full to API-key callers; Console users need the read:webhooks permission, otherwise they see an empty string.
Event filter for this webhook destination. Didit delivers only webhooks whose event type exactly matches one of these values — there is no wildcard subscription. When sent, the list must contain at least one valid event (an explicit [] is rejected with 400); a destination whose list is empty (field omitted at create) receives nothing. On update the list is replaced wholesale, never merged.
1Supported webhook event name. Use these exact strings in subscribed_events; unsupported values are rejected.
status.updated, data.updated, user.status.updated, user.data.updated, business.status.updated, business.data.updated, activity.created, transaction.created, transaction.status.updated ["status.updated", "data.updated"]Delivery health summary (all zero/null on a brand-new destination).