Webhooks

Real-time event delivery

Register a signed HTTPS endpoint to receive Provara lifecycle events. Payloads are signed with HMAC-SHA256 using your webhook secret; verify the signature header before acting on the payload.

Event types

EventDescription
score.updatedFires when a company's composite Provara score changes on re-assessment.
seal.earnedFires when a company crosses the seal threshold (composite ≥ 70).
seal.revokedFires when a company's seal is revoked following material change or cycle miss.
assessment.completedFires when an assessment job transitions to Complete status.
compliance.alertFires when the Compliance Agent tags a portfolio-relevant regulatory change.

Sample payload · score.updated

{
  "event": "score.updated",
  "delivered_at": "2026-07-11T09:14:22Z",
  "data": {
    "company_id": "caribharvest",
    "company_name": "CaribHarvest Exports Ltd.",
    "previous_composite": 58,
    "current_composite": 61,
    "delta": 3,
    "band": "amber",
    "methodology_version": "PRV-M 2.1",
    "changed_domains": [
      {
        "domain": "Financial Performance & Trajectory",
        "from": 55,
        "to": 58
      },
      {
        "domain": "Governance & Formalization",
        "from": 45,
        "to": 49
      }
    ]
  },
  "signature": "sha256=e3c8…verify-with-webhook-secret"
}

Signature verification (Node)

import { createHmac, timingSafeEqual } from "crypto";

function verify(rawBody: string, header: string, secret: string) {
  const expected = createHmac("sha256", secret).update(rawBody).digest("hex");
  const sent = header.replace(/^sha256=/, "");
  return timingSafeEqual(Buffer.from(sent), Buffer.from(expected));
}