Session Webhooks

Overview of the Session Started, Session Failed, Session Succeeded, and Session Pending Review webhooks

Session webhooks let you set up notifications for events that happen during any session triggered by a Flow or Workflow. You can configure them, along with other types of webhooks, in Dashboard.

Learn more about webhooks

Webhooks are event notifications. They let your organization's application know when a specific event happens on the Incode platform or when a process initiated by a user is completed (also known as a callback). Your application can then take action based on the notification.

Webhooks are asynchronous (that is, the communication is only from the Incode platform to your application). You must configure them if you want to use them.

Each session webhook notifies you about a specific session event. This is different from the Onboarding Status webhook, which sends notifications at the completion of every module during a single session. Depending on the number of modules in the session Flow or Workflow, this could be more notifications than you need or want.

Session webhooks provide additional flexibility and let you tailor your notifications for specific needs.

There are six session webhooks available:

  • Session Started: Triggered when any session triggered by a Flow or Workflow starts.
  • Session Progress: Triggered when an existing session link is resumed (not on initial session creation).
  • Session Failed: Triggered when any session triggered by a Flow or Workflow fails. Sessions can fail at various points and for various reasons during a Flow or Workflow. You can view more information about failed sessions in Dashboard. Go to Dashboard > Sessions and click any session in the table to open it.
  • Session Succeeded: Triggered when any session triggered by a Flow or Workflow succeeds.
  • Session Pending Review: Triggered when any session triggered by a Flow or Workflow requires manual review.
  • Identity Enrolled: Triggered the first time an Identity is created. Updates to an existing Identity do not emit this event.

Key facts about session webhooks

  • Each session webhook notification contains a number of common fields. These provide context and allow you to track what's happening more easily.
  • Notifications come as POST requests to the endpoint you configured in Dashboard.
  • Notification headers are passed as key/value pairs.
  • Notification payloads are sent in JSON format. You must configure any internal settings to include Accept Application/json.
  • Data is included in the first notification for which it is available.

Notification payload fields

Common fields

The fields in the following table are common to all session webhook notifications (SESSION_STARTED, SESSION_PROGRESS, SESSION_FAILED, SESSION_SUCCEEDED, and SESSION_PENDING_REVIEW). They are the only fields included in SESSION_STARTED and SESSION_PROGRESS.

FieldTypeDescription
event_typestringName of the webhook providing the notification: SESSION_STARTED, SESSION_PROGRESS, SESSION_FAILED, SESSION_SUCCEEDED, or SESSION_PENDING_REVIEW
timestampstringUTC timestamp of the triggering event in ISO 8601 format
interviewIdstringUnique identifier for the session
externalCustomerIdstringUnique identifier from your system that is used for data matching
clientIdstringUnique identifier assigned to your organization
configurationIdstringUnique identifier assigned to the Flow or Workflow for this session
integrationIdstringUnique identifier assigned by Incode to the integration associated with this session. If there was no integration for the session, this field does not appear.
integrationTypestringType of integration associated with this session. null if no integration reference is present or cannot be resolved.
loginHintstringDisplays a value entered by the end user as a login hint for this session. If no login hint was used, this field does not appear.
devicesarrayAlways null for SESSION_STARTED and SESSION_PROGRESS. See Devices array for details.

Fields available after a session starts

The next table explains fields that are only available after a session starts. These fields are included in SESSION_FAILED, SESSION_SUCCEEDED, or SESSION_PENDING_REVIEW notifications.

FieldTypeDescription
onboardingStatusstringStatus of the session; the value is always ONBOARDING_FINISHED. The term "onboarding" here applies to any session.
ipstringIP address for the end user device (legacy field, preserved for backward compatibility). Not available for fully API-integrated sessions.
latitudestringLatitude at which the end user device was located during the session (legacy field, preserved for backward compatibility). Not available for fully API-integrated sessions.
longitudestringLongitude at which the end user device was located during the session (legacy field, preserved for backward compatibility). Not available for fully API-integrated sessions.
devicesarrayStructured array of device objects containing enriched device fingerprint data. Empty array ([]) when no device data is available. See Devices array.

Fields available for specific event types

The following table explains fields that appear only in specific event type notifications.

FieldEvent type(s)TypeDescription
identityIdSESSION_SUCCEEDED, SESSION_FAILEDstringUnique identifier for the Identity that was matched or created for this session. Included in SESSION_FAILED when the failed session is tied to an existing Identity.
failureReasonsSESSION_FAILEDarraySorted, deduplicated array of upper-snake-case string identifiers indicating why the session failed. Replaces the legacy failureReason field. See Failure reasons.

Devices array

The devices field is a structured array of device objects included in SESSION_FAILED, SESSION_SUCCEEDED, and SESSION_PENDING_REVIEW notifications. It replaces the flat ip, latitude, and longitude fields previously included. However, these fields are preserved for backward compatibility. Devices are sorted by timestamp, with the oldest first.

Each device object contains the following fields:

FieldTypeDescription
ipstringIP address of the end user device
latitudenumberLatitude of the end user device location
longitudenumberLongitude of the end user device location
browserstringBrowser used during the session
deviceModelstringModel of the end user device
deviceTypestringType of device (for example, mobile)
osVersionstringOperating system and version
hashstringDevice fingerprint hash

Example:

{
  "ip": "203.0.113.10",
  "latitude": 37.7749,
  "longitude": -122.4194,
  "browser": "Chrome",
  "deviceModel": "iPhone 15",
  "deviceType": "mobile",
  "osVersion": "iOS 17.5",
  "hash": "fingerprint-hash"
}

Failure reasons

⚠️

Breaking change: The legacy failureReason (singular string) field has been removed from SESSION_FAILED notifications and replaced by the failureReasons array.

The failureReasons field is included only in SESSION_FAILED notifications. It contains a stable, sorted, deduplicated array of identifiers indicating why the session failed.

Example:

{
  "event_type": "SESSION_FAILED",
  "failureReasons": ["ID_VALIDATION", "LIVENESS"]
}

The following table lists all possible identifiers:

IdentifierSource
AUTHENTICATIONauthentication score field
ID_VALIDATIONidValidation score field
SECOND_ID_VALIDATIONsecondIdValidation score field
ANTIFRAUDantifraud score field
LIVENESSliveness score field
DEEPSIGHTdeepsight score field
FACE_CAPTURE_ASSESSMENTfaceCaptureAssessment score field
FACE_RECOGNITIONfaceRecognition score field
FACE_RECOGNITION_SECOND_IDfaceRecognitionSecondId score field
GOVERNMENT_VALIDATIONgovernmentValidation score field
VIDEO_SELFIEvideoConference score field
PREMIUM_EXTERNAL_VERIFICATIONpremiumExternalVerification score field
CURP_VERIFICATIONcurpVerification score field
ID_OCR_CONFIDENCEidOcrConfidence score field
ID_OCR_CONFIDENCE_SECOND_IDidOcrConfidenceSecondId score field
INCODE_WATCHLISTincodeWatchlistScore score field
DEVICE_RISKdeviceRisk score field
BEHAVIORAL_RISKbehavioralRisk score field
TRUST_GRAPHtrustGraph score field
AUTOPILOTautopilot score field
INVOICE_VALIDATIONinvoiceValidation score field
LINK_EXPIREDSession link expiry failure path
MANUAL_REJECTEDFinal result is MANUAL_FAIL
OTHEROverall failure with no mapped module reason

Identity Enrolled webhook

The IDENTITY_ENROLLED webhook fires the first time an Identity is created. It does not fire for updates to an existing Identity.

The payload for IDENTITY_ENROLLED uses the following shape:

FieldTypeDescription
eventTypestringAlways IDENTITY_ENROLLED
timestampstringUTC timestamp of the triggering event in ISO 8601 format
identityIdstringUnique identifier for the newly created Identity (required)
interviewIdstringUnique identifier for the session associated with the Identity creation
externalIdstringExternal identifier, if available; null if not
externalCustomerIdstringUnique identifier from your system used for data matching; null if not available
clientIdstringUnique identifier assigned to your organization
configurationIdstringUnique identifier assigned to the Flow or Workflow for this session
integrationReferencestringReference to the integration associated with this session; null if not available
loginHintstringLogin hint provided by the end user; null if not used

Example payload:

{
  "eventType": "IDENTITY_ENROLLED",
  "timestamp": "2026-05-20T14:00:00Z",
  "identityId": "65f8...",
  "interviewId": "65f7...",
  "externalId": "ext-abc-123",
  "externalCustomerId": "cust-456",
  "clientId": "client-xyz",
  "configurationId": "flow-prod-onboarding",
  "integrationReference": "ref-789",
  "loginHint": null
}

Session Failed on link expiration

When a Workforce verification link expires, the platform sends a SESSION_FAILED webhook with failureReasons containing ["LINK_EXPIRED"]. This feature is configuration-dependent. Contact your Incode representative to enable it.


Error handling and retry policy

Webhooks make up to 5 attempts to deliver a notification in case of endpoint failures. You should ensure your endpoint is ready to handle retries and process duplicate notifications gracefully.

Retries will be triggered by either of these scenarios:

  • A timeout is received when your endpoint is called
  • A status code is returned from your service and is not either:
    • 200 OK along with the application/json header, or
    • 204 No content

The retry policy for webhooks is exponential, with an initial interval of 30 seconds and a multiplier of 2.5. The maximum number of attempts is 5. This means the maximum time a webhook can take to reach its destination is approximately 32 minutes, as illustrated in the following table.

Retry attemptDelay (seconds)Delay (minutes)Total (minutes)
1300.50.5
2751.251.75
3187.53.134.88
4468.757.8112.69
51,171.8819.5332.22

Webhook IP address list

If your organization restricts inbound traffic for your network, make sure the following IP addresses are added to your allow list.

United States

Allow the IP addresses shown in this table for the SAAS (Production) environment.

IP AddressActive
54.86.34.156Currently Active
3.142.125.52Currently Active
54.85.117.182As of February 2, 2026
3.233.40.153As of February 2, 2026

Allow this IP address for the Demo environment.

IP AddressActive
34.198.171.165Active since October 2024 (previously 18.210.119.234)

Europe

Allow this IP address for both the Production and Demo environments.

IP AddressActive
18.158.116.18Active