Webhook

Method: POST (HTTPS only)

Headers

  • Content-Type: application/json
  • Authorization: Bearer (optional)
  • X-Cryptopass-Signature: sha256=

Important: verify the signature and use replay_protection_id for idempotency.

Request Body (cryptopass.created)

json
{
  "event": "cryptopass.created",
  "provider_slug": "myexchange",
  "external_user_id": "ext-user-12345",
  "timestamp": "2025-10-27T12:34:56Z",
  "cryptopass": {
    "id": 1234,
    "order_id": 5678,
    "status": "active",
    "level": { "duration_days": 365 },
    "user": {
      "email": "optional@example.com",
      "sumsub_applicant_id": "optional-abc123"
    },
    "verification": {
      "kyc_status": "passed",
      "aml_status": "passed",
      "ownership_status": "passed"
    },
    "wallets": [{
      "address": "0xabc...",
      "chain": "ETH",
      "ownership_signature": "0x...",
      "ownership_status": "passed",
      "risk_score": 14
    }],
    "documents": {
      "pdf_report_url": "https://.../report.pdf"
    }
  },
  "meta": {
    "replay_protection_id": "jti-123",
    "version": "1.0"
  }
}

Response

200 OK with { "ok": true }. Retries: non-2xx with backoff. Handle idempotently via replay_protection_id.

Previous
Context API
Next
Security