Webhooks
Rather than polling, you can have StatementIQ POST an event to your server when something happens to a request. Set your webhook URL in the portal under Settings → Company. A signing secret is generated for you at the same time.
Events
consent.completed— the customer authorised data sharing.report.ready— the report has been generated and can be fetched.request.withdrawn— consent was withdrawn (by the customer or your firm); derived data has been deleted.
Payload
We POST JSON to your URL. Every payload includes the request_id:
{
"event": "report.ready",
"request_id": "req_1a2b3c…",
"verification_id": "SIQ-6EABF8EC",
"report_type": "expense_summary",
"client_name": "Jordan Wilson"
}On report.ready, call GET /v1/requests/{id}/report to fetch the report.
Verifying the signature
Each delivery includes an X-StatementIQ-Signature header: the HMAC-SHA256 of the raw request body, keyed with your webhook signing secret. Recompute it and compare before trusting a payload.
import hmac, hashlib
def verify(secret: str, raw_body: bytes, signature: str) -> bool:
expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest()
return hmac.compare_digest(expected, signature)Respond quickly, then work
Return a 2xx as soon as you have received the event, then do your processing asynchronously. Deliveries are best-effort; if your endpoint is unavailable, the report is still retrievable via the API, and a reconciler will re-attempt generation if an upstream consent event was missed.