Register a Webhook Endpoint for EUDR Compliance Events
Register an enterprise HTTPS URL to receive signed, asynchronous EUDR compliance events such as shipment.linked, polygon.verified, and dds.validated.
X-AgriBackup-Signature request header so your server can verify authenticity before processing.
Supported Event Types
| Event Type | Trigger |
|---|---|
shipment.linked | A batch has been cryptographically anchored to a logistics shipment |
polygon.verified | A polygon ingestion and satellite screening job completed |
batch.risk_assessed | Copernicus NDVI risk assessment completed for a batch |
dds.submitted | A Due Diligence Statement was successfully submitted to TRACES NT |
dds.validated | TRACES NT validated and cleared the DDS at border |
dds.rejected | TRACES NT rejected the DDS (e.g., mismatched Operator UUIDs) |
job.failed | An asynchronous compliance job terminated with an unrecoverable error |
report.ready | A bulk archival report generation job completed successfully |
Verifying Webhook Signatures
To confirm a webhook payload originated from AgriBackup and was not tampered with in transit:- Read the raw request body as bytes — do not parse or re-serialise before hashing.
- Extract the signature from the
X-AgriBackup-SignatureHTTP header. - Compute
HMAC-SHA256(signingSecret, rawBody)and hex-encode the result. - Use a constant-time comparison function to compare your computed hash with the header value. Avoid standard string equality to prevent timing attacks.
Authorizations
Enterprise API Key provided via the AgriBackup developer console.
Headers
Unique idempotency key (UUID) to prevent duplicate operations. Safely stored in Redis with a strict 24-hour TTL to prevent memory bloat during saturation attacks.
Body
Payload to register a webhook listener
The enterprise endpoint URL to receive POST events
^https://.*"https://erp.example.com/agribackup-webhooks"
Event type to subscribe to
shipment.linked, polygon.verified, batch.risk_assessed, dds.submitted, dds.validated, dds.rejected, job.failed, report.ready [
"shipment.linked",
"polygon.verified",
"batch.risk_assessed",
"dds.submitted",
"dds.validated",
"dds.rejected",
"job.failed",
"report.ready"
]Callbacks
POST{$request.body#/targetUrl}shipment.linked
Body
Payload sent to registered endpoints when a shipment is linked to a batch
The type of the event
"shipment.linked"
Event unique ID
"evt_9988776655"
Timestamp of the event
"2026-06-12T12:00:00Z"
The retry attempt number. 0 for the original broadcast.
0
Shipment Linked Data
The scheduled timestamp for the next retry attempt if this delivery fails
"2026-06-12T12:05:00Z"
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}polygon.verified
Body
Payload sent to registered endpoints when a polygon ingestion job completes
The type of the event
"polygon.verified"
Event unique ID
"evt_1122334455"
Timestamp of the event
"2026-06-12T12:00:00Z"
The retry attempt number. 0 for the original broadcast.
0
Polygon Verified Data
The scheduled timestamp for the next retry attempt if this delivery fails
"2026-06-12T12:05:00Z"
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}batch.risk_assessed
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}dds.submitted
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}dds.validated
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}dds.rejected
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}job.failed
Response
Successfully processed by enterprise
POST{$request.body#/targetUrl}report.ready
Response
Successfully processed by enterprise
Response
Webhook successfully registered
Response payload after registering a webhook
The unique identifier of the webhook registration
"wh_12345"
Status of registration
"REGISTERED"
The registered callback target URL
"https://erp.example.com/agribackup-webhooks"
Cryptographic signing secret used to verify webhook payloads. Payloads sent to your callback URL are signed with HMAC-SHA256 using this secret and included in the 'X-AgriBackup-Signature' header. Verify by hashing the raw request body with this secret and comparing with the header value.
"whsec_0123456789abcdef"