For Relying Parties
Docs · Webhooks
Nexiel signs every webhook with `X-Nexiel-Signature` (timestamp + HMAC-SHA256). Retries happen up to 5 times with exponential backoff. Use this guide to validate requests and react to events.
import crypto from 'crypto';
export function verifySignature(rawBody, signatureHeader, secret) {
const [timestampPart, signaturePart] = signatureHeader.split(',');
const timestamp = timestampPart.replace('t=', '');
const provided = signaturePart.replace('v1=', '');
const payload = `${timestamp}.${rawBody}`;
const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
return crypto.timingSafeEqual(Buffer.from(provided), Buffer.from(expected));
}Build the payload as `timestamp.rawBody`. Reject requests older than 5 minutes to mitigate replay.
verification.completed
Wallet proof accepted with hashed attributes + assurance.
verification.failed
Wallet rejected, expired, or policy violation occurred.
user.deleted
Wallet initiated GDPR erasure; remove linked data downstream.
credential.issued
Credential signed and ready for collection.
credential.accepted
Holder added the credential to their wallet.
credential.revoked
Issuer revoked credential or it expired.
nfc.tap.logged
Reader verified or denied access for an NFC credential.