Webhooks — async event delivery.

Setup

1. Register a webhook endpoint via POST /v1/webhooks
2. Store the returned secret securely (shown only once)
3. eupeak.io will POST signed events to your URL

Event payload

{
  "event": "screening.complete",
  "screening_id": "uuid",
  "timestamp": "2026-04-15T09:00:00Z",
  "data": { ...full screening response... }
}

Verifying signatures

Header: X-Eupeak-Signature: sha256=HMAC_HEX

TypeScript verification

import crypto from 'crypto';

function verifySignature(
  payload: string,
  secret: string,
  sig: string
): boolean {
  const expected =
    'sha256=' +
    crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(sig)
  );
}

Retry policy

On non-2xx response: retry at 1m → 5m → 15m → 1h → 24h. After 5 consecutive failures, the webhook is marked degraded.