Skip to main content
Webhooks push real-time event notifications to your server when verification, screening, and transaction events occur. This guide covers endpoint setup, signature verification, retry behavior, and IP allowlisting.
For a quick reference of all webhook events and payload structures, see Webhooks Reference.

Setting Up Endpoints

1

Create an Endpoint

Go to Dashboard > Settings > Webhooks and click Add Endpoint. Enter your HTTPS URL and select the events you want to receive.
2

Copy the Signing Secret

After creating the endpoint, copy the Webhook Secret. You will need this to verify incoming payloads. The secret is shown once and can be rotated at any time.
3

Subscribe to Events

Select which events are delivered to this endpoint. You can subscribe to all events or choose specific ones.
4

Activate the Endpoint

Toggle the endpoint to Active. Verilock will begin delivering events immediately.

All Events

Verilock emits the following 13 webhook events:
EventCategoryTrigger
session.completedKYCVerification session finished processing
session.approvedKYCSession approved — identity verified
session.declinedKYCSession declined — failed checks
session.expiredKYCSession expired before completion
aml.completedAMLAML screening finished processing
aml.match_foundAMLPotential watchlist or PEP match detected
aml.monitoring.matchMonitoringContinuous monitoring detected new matches
transaction.flaggedTransactionsTransaction flagged for manual review
transaction.blockedTransactionsTransaction automatically blocked
biometric.completedBiometricBiometric authentication completed
database.validatedDatabaseDatabase validation completed
face.duplicate_foundFace SearchDuplicate identity detected
wallet.screenedWalletWallet screening completed

Signature Verification

Every webhook includes an X-Verilock-Signature header containing an HMAC-SHA256 signature of the raw request body. 
# Compute the expected signature
echo -n '{"event":"session.approved","data":{...}}' | \
  openssl dgst -sha256 -hmac "whsec_your_signing_secret"
Verification steps:
  1. Read the raw request body (do not parse JSON first)
  2. Compute HMAC-SHA256 using your webhook secret
  3. Compare the computed value to the X-Verilock-Signature header using a timing-safe comparison
  4. Reject the request if they do not match
Always use timing-safe comparison functions (hash_equals in PHP, hmac.compare_digest in Python, crypto.timingSafeEqual in Node.js) to prevent timing attacks.

Payload Examples

{
  "event": "session.approved",
  "data": {
    "session_id": "ses_a1b2c3d4e5f6",
    "status": "approved",
    "risk_score": 12,
    "decision": "approved",
    "applicant": {
      "first_name": "Jean",
      "last_name": "Dupont",
      "email": "jean@example.com"
    },
    "completed_at": "2026-03-15T14:30:00Z"
  },
  "timestamp": "2026-03-15T14:30:01Z",
  "webhook_id": "wh_evt_9f8e7d6c5b4a"
}

Retry Policy

Failed deliveries (non-2xx response or timeout after 10 seconds) are retried with exponential backoff:
AttemptDelayTotal Elapsed
1st retry10 seconds~10s
2nd retry1 minute~1m 10s
3rd retry5 minutes~6m 10s
4th retry30 minutes~36m
5th retry2 hours~2h 36m
After 5 failed attempts, the delivery is marked as failed. View and manually retry failed deliveries from Dashboard > Webhooks > Delivery Log.
Return a 200 status code immediately and process the event asynchronously. Long-running webhook handlers increase the chance of timeouts and unnecessary retries.

IP Allowlisting

If your infrastructure uses firewall rules, allowlist the following Verilock IP ranges: 
203.0.113.0/24
198.51.100.0/24
IP ranges are subject to change. Subscribe to the Verilock status page for notifications about infrastructure changes.

Multiple Endpoints

You can configure up to 10 webhook endpoints per account. Each endpoint can subscribe to different events, allowing you to route events to different services:
EndpointEventsUse Case
https://api.yourapp.com/webhooks/verilocksession.*Application logic
https://compliance.internal/webhooksaml.*, transaction.*Compliance team
Zapier catch hook URLsession.approvedAutomation

Delivery Log

The webhook delivery log in your dashboard shows:
  • Event type and payload
  • Response status code from your endpoint
  • Response time in milliseconds
  • Retry count and next retry time
  • Delivery status: delivered, retrying, failed
Filter by event type, status, or date range to investigate delivery issues.

Best Practices

Respond Fast

Return 200 OK immediately. Queue the event for async processing to avoid timeouts.

Deduplicate

Store processed webhook_id values. Skip events you have already handled to ensure idempotent processing.

Verify Signatures

Always validate X-Verilock-Signature before processing. Reject unsigned or incorrectly signed payloads.

Monitor Failures

Set up alerts for failed deliveries. Persistent failures may indicate endpoint issues or network problems.