Webhooks
Webhooks deliver compliance results asynchronously when usingresponseMode: "async".
Delivery Guarantees
- At-least-once delivery with
eventIdfor client-side deduplication - HMAC signature:
X-ZebraTruth-Signature: sha256=<hmac(secret, body)> - Replay protection:
X-ZebraTruth-Timestamp— reject if drift > 5 minutes - Retry policy: 3 attempts with exponential backoff (1s, 5s, 25s)
- Dead letter: After 3 failures, moved to dead letter queue
Webhook Payload
Verifying Signatures
Dead Letter Queue
Failed deliveries are queryable viaGET /v1/webhooks/deliveries?status=dead.
See Async Webhook guide for the full submit-then-poll flow.