Build your receiver

A webhook receiver is a small endpoint on your own server that we POST to. It does three things: verify the signature, act on the event, and return 200. You can write one in any language — below are working starters you can download and adapt.

Download a starter

Each verifies the HMAC-SHA256 signature and has a clearly marked TODO where you plug in your own logic:

• veritus-webhook.php — PHP
• veritus-webhook.js — Node / Express
• veritus-webhook.py — Python / Flask

Set the signing secret (shown once when you created the webhook) via the VERITUS_WEBHOOK_SECRET environment variable, not in code.

The held-signup approval flow

The most common reason to run a receiver: hold new signups until you approve them. The pieces fit together like this:

1. A user signs up. Your signup code creates the account in a held state (e.g. verified='no') and shows a “being reviewed” message.
2. The signup is scored by Veritus and appears in Live scores.
3. You review it and click allow (the override control on the check). That fires the verdict.overridden event.
4. Your receiver gets the POST, verifies it, and on new_verdict == "allow" flips the account to active — and optionally emails the user that they can now log in.
5. A block override leaves the account held; it never logs in.

Tip: set the form's allow threshold to 0 so every signup lands in review and waits for your decision — nothing is auto-allowed.

The verdict.overridden payload

This is the event your receiver acts on. Its data block:

{
  "event":     "verdict.overridden",
  "timestamp": 1748094182,
  "data": {
    "email":       "user@example.com",  // match your held account on this
    "new_verdict": "allow",             // allow|review|block
    "score":       27,
    "form_uuid":   "uuid or null"       // which site/form this signup was on
  }
}

Match the held account by email. Act only when new_verdict is allow; otherwise leave the account held.

Reference receiver (PHP)

<?php
 = getenv('VERITUS_WEBHOOK_SECRET');
    = file_get_contents('php://input');

 = 'sha256=' . hash_hmac('sha256', , );
if (!hash_equals(, ['HTTP_X_VERITUS_SIGNATURE'] ?? '')) {
    http_response_code(401); exit;
}

 = json_decode(, true);
if ((['event'] ?? '') === 'verdict.overridden') {
     = ['data'] ?? [];
    if (strtolower(['new_verdict'] ?? '') === 'allow') {
        // TODO: activate the account for ['email']
    }
}
http_response_code(200);

Where webhooks are managed

• Per site — open a form (site) in the dashboard and add a webhook there; it fires only for that site's signups.
• Account-wide — /dashboard/webhooks creates a hook that fires for all of your sites.

See also

• Signature verification — full code for Python, Node, PHP, Go
• Event types
• Retries & delivery