Webhooks

Webhooks

Verbitas sends webhook events to your registered endpoint when key operations complete.

Register an endpoint

POST /v1/webhooks
Authorization: Bearer vb_test_...
Content-Type: application/json

{
  "url": "https://yourapp.example.com/verbitas-webhook",
  "events": ["manifest.signed", "anchor.confirmed", "verification.completed"]
}

Events

Event	Triggered when
manifest.signed	A new manifest is signed and persisted
anchor.confirmed	An anchoring batch is confirmed on-ledger
verification.completed	An async verify job completes
certificate.expiring	A signing certificate expires in < 30 days

Payload format

{
  "event": "manifest.signed",
  "occurred_at": "2026-05-09T08:00:00Z",
  "data": {
    "manifest_id": "01927abc-...",
    "recipe": "image-genai-v1",
    "status": "signed"
  }
}

Signature verification

All webhook payloads are signed with HMAC-SHA256. The signature is in the X-Verbitas-Signature header:

X-Verbitas-Signature: sha256=<hex>

Verify:

import hmac, hashlib

def verify_signature(payload: bytes, secret: str, header: str) -> bool:
    expected = "sha256=" + hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, header)

Caution

Always verify the webhook signature before processing. Reject any request that fails signature verification.