Fetch the signed vCon

A webhook delivers a pointer, not the record itself. To get the record, fetch it from the download URL in the event. The URL is short-lived and tied to that one record.

Fetch and verify

Read the download URL

Take the download URL from the event envelope you received.

Fetch it before it expires

Fetch the URL promptly. It returns the signed vCon, the full compliance record.

Verify it

Check the signature, the same way the public verifier does, and confirm the recording’s SHA-512 content hash in the record. See verify a vCon.

Notes

The URL is short-lived. Fetch it promptly and store the record you retrieved, not the URL.
The URL is bound to one record. It will not return any other record.

Verify a vCon

How to check a signed record’s integrity.

Verify signatures

Confirm the webhook delivery itself.

Compliance record envelope Security overview

⌘I

​Fetch and verify

​Notes

Verify a vCon

Verify signatures

Fetch and verify

Notes