Webhooks
Real-time event delivery
Register a signed HTTPS endpoint to receive Provara lifecycle events. Payloads are signed with HMAC-SHA256 using your webhook secret; verify the signature header before acting on the payload.
Event types
| Event | Description |
|---|---|
| score.updated | Fires when a company's composite Provara score changes on re-assessment. |
| seal.earned | Fires when a company crosses the seal threshold (composite ≥ 70). |
| seal.revoked | Fires when a company's seal is revoked following material change or cycle miss. |
| assessment.completed | Fires when an assessment job transitions to Complete status. |
| compliance.alert | Fires when the Compliance Agent tags a portfolio-relevant regulatory change. |
Sample payload · score.updated
{
"event": "score.updated",
"delivered_at": "2026-07-11T09:14:22Z",
"data": {
"company_id": "caribharvest",
"company_name": "CaribHarvest Exports Ltd.",
"previous_composite": 58,
"current_composite": 61,
"delta": 3,
"band": "amber",
"methodology_version": "PRV-M 2.1",
"changed_domains": [
{
"domain": "Financial Performance & Trajectory",
"from": 55,
"to": 58
},
{
"domain": "Governance & Formalization",
"from": 45,
"to": 49
}
]
},
"signature": "sha256=e3c8…verify-with-webhook-secret"
}Signature verification (Node)
import { createHmac, timingSafeEqual } from "crypto";
function verify(rawBody: string, header: string, secret: string) {
const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
const sent = header.replace(/^sha256=/, "");
return timingSafeEqual(Buffer.from(sent), Buffer.from(expected));
}