Webhooks allow your application to receive real-time notifications about changes to a verification session status on web app workflows. Here's how you can configure and handle these notifications securely.
Note for Cloudflare Users:If you are using Cloudflare, you must whitelist our IP address to receive webhooks. To whitelist an IP address in Cloudflare, navigate to the "Security" section, then "WAF", then "Tools" and "IP Access Rules". Add the IP address "18.203.201.92", select "Allow", and choose the website the rule applies to.
Configuring the Webhook Endpoint
- 
Refer to the Quick Start Guide to set up your team and application if you haven't already.Follow Steps 1 and 2 from the Quick Start Guide
- 
Add Your Webhook URL and Copy theWebhook Secret Key- Go to your verification settings.
- Enter your webhook URL.
- Copy the Webhook Secret Key, which you'll use to validate incoming requests.
 
Webhook Event Types
We send webhooks for the following event types:
- status.updated: Triggered whenever the verification status changes (e.g., from- Not Startedto- In Progress, or from- In Reviewto- Approved). This includes the initial webhook sent when a session starts.
- data.updated: Triggered when KYC or POA data is manually updated by a reviewer via the API. This allows you to stay in sync with data corrections or manual reviews.
Each webhook payload includes a webhook_type field indicating the event that triggered it.
If the session status is Approved, Declined, In Review, or Abandoned, the webhook will also include a decision field containing detailed verification results. The session_id is always included. Thevendor_data, workflow_id and metadata fields are included only if they are included in the session.
Retry Policy
If delivering a webhook fails (i.e., your endpoint returns a 5xx status code or a 404), we will automatically retry the delivery. To provide you with a clear history of delivery attempts, each retry is logged as a new, separate event in your dashboard.
Retries are performed with an exponential backoff schedule to avoid overwhelming your server. We will attempt to redeliver the webhook up to 2 times over a period of minutes:
- 1st Retry: Approximately 1 minute after the initial failure.
- 2nd Retry: Approximately 4 minutes after the first retry failure.
If all retry attempts fail, we will stop trying to send the webhook for that specific event.
Code Examples
To ensure the security of your webhook endpoint, verify the authenticity of incoming requests using your Webhook Secret Key. The most important step is to always sign and verify the exact raw JSON—any re-stringification can alter the payload and invalidate the signature.
Always store and HMAC the raw JSON string (rather than re-stringifying after parsing). Differences in whitespace, float formatting, or key ordering will break the signature verification.
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require("crypto");
const app = express();
const PORT = process.env.PORT || 1337;
// Load the webhook secret from your environment (or config)
const WEBHOOK_SECRET_KEY = process.env.WEBHOOK_SECRET_KEY || "YOUR_WEBHOOK_SECRET_KEY";
// 1) Capture the raw body
app.use(
  bodyParser.json({
    verify: (req, res, buf, encoding) => {
      if (buf && buf.length) {
        // Store the raw body in the request object
        req.rawBody = buf.toString(encoding || "utf8");
      }
    },
  })
);
// 2) Define the webhook endpoint
app.post("/webhook", (req, res) => {
  try {
    const signature = req.get("X-Signature");
    const timestamp = req.get("X-Timestamp");
    // Ensure all required data is present
    if (!signature || !timestamp || !req.rawBody || !WEBHOOK_SECRET_KEY) {
      return res.status(401).json({ message: "Unauthorized" });
    }
    // 3) Validate the timestamp to ensure the request is fresh (within 5 minutes)
    const currentTime = Math.floor(Date.now() / 1000);
    const incomingTime = parseInt(timestamp, 10);
    if (Math.abs(currentTime - incomingTime) > 300) {
      return res.status(401).json({ message: "Request timestamp is stale." });
    }
    // 4) Generate an HMAC from the raw body using your shared secret
    const hmac = crypto.createHmac("sha256", WEBHOOK_SECRET_KEY);
    const expectedSignature = hmac.update(req.rawBody).digest("hex");
    // 5) Compare using timingSafeEqual for security
    const expectedSignatureBuffer = Buffer.from(expectedSignature, "utf8");
    const providedSignatureBuffer = Buffer.from(signature, "utf8");
    if (
      expectedSignatureBuffer.length !== providedSignatureBuffer.length ||
      !crypto.timingSafeEqual(expectedSignatureBuffer, providedSignatureBuffer)
    ) {
      return res.status(401).json({
        message: `Invalid signature. Computed (${expectedSignature}), Provided (${signature})`,
      });
    }
    // 6) Parse the JSON and proceed (signature is valid at this point)
    const jsonBody = JSON.parse(req.rawBody);
    const { session_id, status, vendor_data, workflow_id } = jsonBody;
    // Example: upsert to database, handle "Approved" status, etc.
    // e.g. upsertVerification(session_id, status, vendor_data, workflow_id);
    return res.json({ message: "Webhook event dispatched" });
  } catch (error) {
    console.error("Error in /webhook handler:", error);
    return res.status(401).json({ message: "Unauthorized" });
  }
});
// Start the server
app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
});from fastapi import FastAPI, Request, HTTPException
from time import time
import json
import hmac
import hashlib
import os
from typing import Dict, Any
from prisma import Prisma  # You'll need to set up Prisma client for Python
app = FastAPI()
prisma = Prisma()
def verify_webhook_signature(request_body: str, signature_header: str, timestamp_header: str, secret_key: str) -> bool:
  """
        Verify incoming webhook signature
        """
  # Check if timestamp is recent (within 5 minutes)
  timestamp = int(timestamp_header)
  current_time = int(time())
  if abs(current_time - timestamp) > 300:  # 5 minutes
    return False
  # Calculate expected signature
  expected_signature = hmac.new(
    secret_key.encode("utf-8"),
    request_body.encode("utf-8"),
    hashlib.sha256
  ).hexdigest()
  # Compare signatures using constant-time comparison
  return hmac.compare_digest(signature_header, expected_signature)
@app.post("/webhook")
async def handle_webhook(request: Request):
  # Get the raw request body as string
  body = await request.body()
  body_str = body.decode()
  # Parse JSON for later use
  json_body = json.loads(body_str)
  # Get headers
  signature = request.headers.get("x-signature")
  timestamp = request.headers.get("x-timestamp")
  secret = os.getenv("WEBHOOK_SECRET_KEY")
  if not all([signature, timestamp, secret]):
    raise HTTPException(status_code=401, detail="Unauthorized")
    if not verify_webhook_signature(body_str, signature, timestamp, secret):
      raise HTTPException(status_code=401, detail="Unauthorized")
      session_id = body.get("session_id")
      status = body.get("status")
      vendor_data = body.get("vendor_data")
      # Connect to database
      await prisma.connect()
      try:
        # Update or create verification record
        upsert_result = await prisma.verification.upsert(
          where={
            "id": session_id
          },
          data={
            "update": {
              "verificationStatus": status
            },
            "create": {
              "userId": vendor_data,
              "id": session_id,
              "verificationStatus": status
              # Add other required fields for creation
            }
          }
        )
        # Handle approved status
        if status == "Approved":
          user_id = upsert_result.userId
          await prisma.user.upsert(
            where={
              "id": user_id
            },
            data={
              "update": {
                "isVerified": True
              },
              "create": {
                "id": user_id,
                "isVerified": True
                # Add other required fields for user creation
              }
            }
          )
          return {"message": "Webhook event dispatched"}
        finally:
          await prisma.disconnect()<?php
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Support\Facades\DB;
class WebhookController extends Controller
{
  /**
         * Handle incoming webhook request
         */
  public function handle(Request $request)
  {
    // Get the raw request body
    $bodyContent = $request->getContent();
    // Get headers
    $signature = $request->header('x-signature');
    $timestamp = $request->header('x-timestamp');
    $secret = env('WEBHOOK_SECRET_KEY');
    if (!$signature || !$timestamp || !$secret) {
      return response()->json(['message' => 'Unauthorized'], 401);
    }
    if (!$this->verifyWebhookSignature($bodyContent, $signature, $timestamp, $secret)) {
      return response()->json(['message' => 'Unauthorized'], 401);
    }
    // Parse JSON for processing
    $body = json_decode($bodyContent, true);
    $sessionId = $body['session_id'];
    $status = $body['status'];
    $vendorData = $body['vendor_data'];
    // Update or create verification record
    $verification = DB::table('verifications')->updateOrInsert(
      ['id' => $sessionId],
      [
        'user_id' => $vendorData,
        'verification_status' => $status,
        'updated_at' => now(),
      ]
    );
    // Handle approved status
    if ($status === 'Approved') {
      DB::table('users')->updateOrInsert(
        ['id' => $vendorData],
        [
          'is_verified' => true,
          'updated_at' => now(),
        ]
      );
    }
    private function verifyWebhookSignature(
      string $requestBody,
      string $signatureHeader,
      string $timestampHeader,
      string $secretKey
    ): bool {
      // Check if timestamp is recent (within 5 minutes)
      $timestamp = (int)$timestampHeader;
      $currentTime = time();
      if (abs($currentTime - $timestamp) > 300) {
        return false;
      }
      // Calculate expected signature
      $expectedSignature = hash_hmac('sha256', $requestBody, $secretKey);
      // Compare signatures using constant-time comparison
      return hash_equals($signatureHeader, $expectedSignature);
    }
  }Webhook Body Object Examples
The webhook payload varies depending on the status of the verification session. When the status is Approved or Declined, the body includes the decision field. For all other statuses, the decision field is not present.
Example without decision Field
decision Field{
  "session_id": "11111111-2222-3333-4444-555555555555",
  "status": "In Progress",
  "webhook_type": "status.updated",
  "created_at": 1627680000,
  "timestamp": 1627680000,
  "workflow_id": "11111111-2222-3333-4444-555555555555",
  "vendor_data": "11111111-1111-1111-1111-111111111111",
  "metadata": {
    "user_type": "premium",
    "account_id": "ABC123"
  }
}Example with decision Field
decision Field{
  "session_id": "11111111-2222-3333-4444-555555555555",
  "status": "Declined", // status of the verification session
  "webhook_type": "status.updated",
  "created_at": 1627680000,
  "timestamp": 1627680000,
  "workflow_id": "11111111-2222-3333-4444-555555555555",
  "vendor_data": "11111111-1111-1111-1111-111111111111",
  "metadata": {
    "user_type": "premium",
    "account_id": "ABC123"
  },
  "decision": {
    "session_id": "11111111-2222-3333-4444-555555555555",
    "session_number": 43762,
    "session_url": "https://verify.didit.me/session/11111111-2222-3333-4444-555555555555",
    "status": "In Review",
    "workflow_id": "11111111-2222-3333-4444-555555555555",
    "features": ["ID_VERIFICATION", "NFC", "LIVENESS", "FACE_MATCH", "POA", "PHONE", "AML", "IP_ANALYSIS"],
    "vendor_data": "11111111-1111-1111-1111-111111111111",
    "metadata": {
      "user_type": "premium",
      "account_id": "ABC123"
    },
    "expected_details": {
      "first_name": "Carmen",
      "last_name": "Española Española"
    },
    "contact_details": {
      "email": "[email protected]",
      "email_lang": "es"
    },
    "callback": "https://verify.didit.me/",
    // optional field if ID_VERIFICATION feature is enabled
    "id_verification": {
      "status": "Approved",
      "document_type": "Identity Card",
      "document_number": "CAA000000",
      "personal_number": "99999999R",
      "portrait_image": "https://example.com/portrait.jpg",
      "front_image": "https://example.com/front.jpg",
      "front_video": "https://example.com/front.mp4",
      "back_image": "https://example.com/back.jpg",
      "back_video": "https://example.com/back.mp4",
      "full_front_image": "https://example.com/full_front.jpg",
      "full_back_image": "https://example.com/full_back.jpg",
      "date_of_birth": "1980-01-01",
      "age": 45,
      "expiration_date": "2031-06-02",
      "date_of_issue": "2021-06-02",
      "issuing_state": "ESP",
      "issuing_state_name": "Spain",
      "first_name": "Carmen",
      "last_name": "Española Española",
      "full_name": "Carmen Española Española",
      "gender": "F",
      "address": "Avda de Madrid 34, Madrid, Madrid",
      "formatted_address": "Avda de Madrid 34, Madrid, Madrid 28822, Spain",
      "place_of_birth": "Madrid",
      "marital_status": "Single",
      "nationality": "ESP",
      "parsed_address": {
        "id": "7c6280a2-fb6a-4258-93d5-2ac987cbc6ba",
				"address_type": "Avda",
        "city": "Madrid",
        "label": "Spain ID Card Address",
        "region": "Madrid",
        "street_1": "Avda de Madrid 34",
        "street_2": null,
        "postal_code": "28822",
        "raw_results": {
          "geometry": {
            "location": {
              "lat": 37.4222804,
              "lng": -122.0843428
            },
            "location_type": "ROOFTOP",
            "viewport": {
              "northeast": {
                "lat": 37.4237349802915,
                "lng": -122.083183169709
              },
              "southwest": {
                "lat": 37.4210370197085,
                "lng": -122.085881130292
              }
            }
          },
        },
      },
      "extra_files": [
        "https://example.com/extra_id_verification.jpg",
      ],
      "warnings": [
        {
          "risk": "QR_NOT_DETECTED",
          "additional_data": null,
          "log_type": "information",
          "short_description": "QR not detected",
          "long_description": "The system couldn't find or read the QR code on the document, which is necessary for document verification. This could be due to poor image quality or an unsupported document type.",
        }
      ],
    },
    "reviews": [
      {
        "user": "[email protected]",
        "new_status": "Declined",
        "comment": "Possible match found in AML screening",
        "created_at": "2024-07-18T13:29:00.366811Z"
      }
    ],
    "created_at": "2024-07-24T08:54:25.443172Z"
  }
}
For a complete list of possible properties and their values for thedecisionfield, please refer to our API Reference.
