Push, not poll: when consent changes, your systems hear it in seconds. The critical use is withdrawal — a customer who withdrew at 14:00 must not receive your 14:05 campaign.
Events
| consent.recorded | any grant/deny recorded (payload carries action) |
| consent.withdrawn | the one to wire first |
| policy.activated | new policy version live — prior consents flagged for re-consent |
| dsar.requested · dsar.completed | rights requests opened / resolved (payload carries type: access / erasure / rectification) |
Create an endpoint
Dashboard → Webhooks, or POST /v1/webhooks/. HTTPS URLs only — the API refuses plain HTTP. You get a signing secret back, shown once. POST /v1/webhooks/{id}/test/ fires a test delivery.
Verify every delivery
Compute over the raw body bytes, before any JSON parsing — re-serialized JSON won't match.
Delivery & retries
4 quick attempts with exponential backoff (3s / 9s / 27s / 81s), then scheduled retries. A 4xx from your endpoint stops retries (you rejected it); 5xx and timeouts keep retrying. Every attempt is visible in the dashboard's Webhooks page with response codes. Design your handler to be idempotent — replays of the same delivery id can happen after network ambiguity.