ConsentProof Verify a receipt · تحقق من إيصال Start free · ابدأ مجاناً

Webhooks الويب هوكس

الخلاصة بالعربية دفعٌ لا سحب: عند تغيّر الموافقة تسمع أنظمتك بها خلال ثوانٍ، وأهم حدث تربطه أولاً هو السحب — من سحب موافقته الساعة الثانية يجب ألا تصله حملتك الساعة الثانية وخمس دقائق. كل تسليم موقَّع HMAC-SHA256 مع ربط زمني يقتل إعادة التشغيل، والمسارات HTTPS فقط، والمحاولات تتصاعد ٣/٩/٢٧/٨١ ثانية. صمّم مستقبِلك ليكون idempotent.

Push, not poll: when consent changes, your systems hear it in seconds. The critical use is withdrawal — a customer who withdrew at 14:00 must not receive your 14:05 campaign.

Events

consent.recordedany grant/deny recorded (payload carries action)
consent.withdrawnthe one to wire first
policy.activatednew policy version live — prior consents flagged for re-consent
dsar.requested · dsar.completedrights requests opened / resolved (payload carries type: access / erasure / rectification)

Create an endpoint

Dashboard → Webhooks, or POST /v1/webhooks/. HTTPS URLs only — the API refuses plain HTTP. You get a signing secret back, shown once. POST /v1/webhooks/{id}/test/ fires a test delivery.

Verify every delivery

X-ConsentProof-Event: consent.withdrawn X-ConsentProof-Timestamp: 1767225600 X-ConsentProof-Signature: hex(hmac_sha256(secret, "{timestamp}.{raw_body}"))
# python import hmac, hashlib expected = hmac.new(secret.encode(), f"{ts}.{raw_body}".encode(), hashlib.sha256).hexdigest() ok = hmac.compare_digest(expected, signature_header) # also reject if abs(now - int(ts)) > 300 — the timestamp binding kills replay

Compute over the raw body bytes, before any JSON parsing — re-serialized JSON won't match.

Delivery & retries

4 quick attempts with exponential backoff (3s / 9s / 27s / 81s), then scheduled retries. A 4xx from your endpoint stops retries (you rejected it); 5xx and timeouts keep retrying. Every attempt is visible in the dashboard's Webhooks page with response codes. Design your handler to be idempotent — replays of the same delivery id can happen after network ambiguity.