Skip to main content
Every compliance export webhook is signed. Verify the signature before you process the event, fetch the signed vCon, or store anything from the delivery. Klariqo uses the Standard Webhooks signing format.

Headers

Each delivery includes these headers:
HeaderMeaning
webhook-idThe unique delivery id used in the signed content.
webhook-timestampThe timestamp used in the signed content.
webhook-signatureThe signature value, formatted as v1,<base64>.
Your endpoint also receives a signing secret for this webhook endpoint. The secret is formatted as whsec_<base64>.

What is signed

The signed content is: 
id.timestamp.body
Where:
PartSource
idThe webhook-id header.
timestampThe webhook-timestamp header.
bodyThe raw request body exactly as Klariqo sent it.
Verify against the raw request body. Do not parse JSON and then stringify it again before verification. Even a harmless formatting change can make the signature check fail.

Verification steps

1

Read the headers

Read webhook-id, webhook-timestamp, and webhook-signature from the request.
2

Check the timestamp

Reject requests with a large timestamp skew. This helps prevent old signed deliveries from being replayed later.
3

Use the raw body

Build the signed content from the header id, header timestamp, and the raw request body.
4

Verify the signature

Verify the v1,<base64> signature with the endpoint signing secret.
5

Process only after verification

Only process the event after the signature passes.

What to reject

Reject the request if:
  • A required signature header is missing.
  • webhook-signature is not in the v1,<base64> format.
  • The timestamp has a large skew.
  • The signature does not verify against the raw body.
  • The same delivery id has already been processed.

After verification

After the signature passes, process the event as a pointer to the compliance record. The webhook payload does not contain the full signed vCon inline. It contains an envelope and an expiring download URL for the signed vCon.

Compliance export webhooks

See how compliance record exports work.

Record envelope

Understand the event payload you receive.
Signature verification proves delivery integrity for the webhook request. It is not a legal judgment. Exported records support evidence, provenance, and audit-readiness, but you remain responsible for scripts, consent, retention, storage, and counsel review.