Status: Coming soon. Webhooks are not yet available. Use
polling to learn about status changes for now.
Planned events
| Event | Fires when |
|---|---|
customer.kyc_completed | A customer’s KYC reaches a terminal state (VERIFIED, FAILED). |
aml.review_completed | The compliance team finishes reviewing AML hits (status → RESOLVED). |
customer.updated | Any update to a customer your integration owns. |
Planned guarantees
- HMAC-SHA256 signature on every payload, in an
IC-Signatureheader. You’ll verify with a per-endpoint signing secret we’ll show you once at creation (same pattern as API keys). - At-least-once delivery. We retry with exponential backoff for up to 24 hours on non-2xx responses.
- Replay protection. A
IC-Event-Idheader lets you dedupe — same id means same event. - Replay tool. Re-deliver any event from the dashboard if your endpoint was down.
- Timestamp window. Reject events older than 5 minutes (replay-attack guard).
What we deliberately won’t do
- Send raw AML hit data, document images, or full PII in webhook payloads. You receive ids + status; fetch the safe DTO from the API if you need more.
- Provide a “fire-and-forget no-signature” mode. Every endpoint will require signature verification.
In the meantime
Use the polling pattern in Polling for status. The migration to webhooks will be drop-in — the event payload mirrors the customer DTO you already receive fromGET /v1/customers.