Session Webhooks
Overview of the Session Started, Session Failed, Session Succeeded, and Session Pending Review webhooks
Session webhooks let you set up notifications for events that happen during any session triggered by a Flow or Workflow. You can configure them, along with other types of webhooks, in Dashboard.
Learn more about webhooks
Webhooks are event notifications. They let your organization's application know when a specific event happens on the Incode platform or when a process initiated by a user is completed (also known as a callback). Your application can then take action based on the notification.
Webhooks are asynchronous (that is, the communication is only from the Incode platform to your application). You must configure them if you want to use them.
Each session webhook notifies you about a specific session event. This is different from the Onboarding Status webhook, which sends notifications at the completion of every module during a single session. Depending on the number of modules in the session Flow or Workflow, this could be more notifications than you need or want.
Session webhooks provide additional flexibility and let you tailor your notifications for specific needs.
There are four session webhooks available:
- Session Started: Triggered when any session triggered by a Flow or Workflow starts.
- Session Failed: Triggered when any session triggered by a Flow or Workflow fails. Sessions can fail at various points and for various reasons during a Flow or Workflow. You can view more information about failed sessions in Dashboard. Go to Dashboard > Sessions and click any session in the table to open it.
- Session Succeeded: Triggered when any session triggered by a Flow or Workflow succeeds.
- Session Pending Review: Triggered when any session triggered by a Flow or Workflow requires manual review.
Key facts about session webhooks
- Each session webhook notification contains a number of common fields. These provide context and allow you to track what's happening more easily.
- Notifications come as
POSTrequests to the endpoint you configured in Dashboard. - Notification headers are passed as key/value pairs.
- Notification payloads are sent in JSON format. You must configure any internal settings to include
Accept Application/json. - Data is included in the first notification for which it is available.
Notification payload fields
The 6 fields explained in the following table are common to all session webhook notifications. They are the only fields included in SESSION_STARTED.
| Field | Type | Description |
|---|---|---|
event_type | string | Name of the webhook providing the notification: SESSION_STARTED, SESSION_FAILED, SESSION_SUCCEEDED, or SESSION_PENDING_REVIEW |
timestamp | string | UTC timestamp of the triggering event in ISO 8601 format |
interviewId | string | Unique identifier for the session |
externalCustomerId | string | Unique identifier from your system that is used for data matching |
clientId | string | Unique identifier assigned to your organization |
configurationId | string | Unique identifier assigned to the Flow or Workflow for this session |
integrationId | string | Unique identifier assigned by Incode to the integration associated with this session. If there was no integration for the session, this field does not appear. |
loginHint | string | Displays a value entered by the end user as a login hint for this session. If no login hint was used, this field does not appear. |
The next table explains 4 fields that are only available after a session starts. These fields are included in SESSION_FAILED, SESSION_SUCCEEDED, or SESSION_PENDING_REVIEW notifications.
| Field | Type | Description |
|---|---|---|
onboardingStatus | string | Status of the session; the value is always ONBOARDING_FINISHED. The term "onboarding" here applies to any session. |
ip | string | IP address for the end user device as taken from the device fingerprint. Not available for fully API-integrated sessions. |
latitude | string | Latitude at which the end user device was located during the session, as taken from the device fingerprint. Not available for fully API-integrated sessions. |
longitude | string | Longitude at which the end user device was located during the session, as taken from the device fingerprint. Not available for fully API-integrated sessions. |
The final table explains the single field included only in session webhook notifications for SESSION_SUCCEEDED.
| Field | Type | Description |
|---|---|---|
identityId | string | Unique identifier for the Identity that was either matched or created for this session. |
Error handling and retry policy
Webhooks make up to 5 attempts to deliver a notification in case of endpoint failures. You should ensure your endpoint is ready to handle retries and process duplicate notifications gracefully.
Retries will be triggered by either of these scenarios:
- A timeout is received when your endpoint is called
- A status code is returned from your service and is not either:
200 OKalong with theapplication/jsonheader, or204 No content
The retry policy for webhooks is exponential, with an initial interval of 30 seconds and a multiplier of 2.5. The maximum number of attempts is 5. This means the maximum time a webhook can take to reach its destination is approximately 32 minutes, as illustrated in the following table.
| Retry attempt | Delay (seconds) | Delay (minutes) | Total (minutes) |
|---|---|---|---|
| 1 | 30 | 0.5 | 0.5 |
| 2 | 75 | 1.25 | 1.75 |
| 3 | 187.5 | 3.13 | 4.88 |
| 4 | 468.75 | 7.81 | 12.69 |
| 5 | 1,171.88 | 19.53 | 32.22 |
Webhook IP address list
If your organization restricts inbound traffic for your network, make sure the following IP addresses are added to your allow list.
United States
Allow the IP addresses shown in this table for the SAAS (Production) environment.
| IP Address | Active |
|---|---|
| 54.86.34.156 | Currently Active |
| 3.142.125.52 | Currently Active |
| 54.85.117.182 | As of February 2, 2026 |
| 3.233.40.153 | As of February 2, 2026 |
Allow this IP address for the Demo environment.
| IP Address | Active |
|---|---|
| 34.198.171.165 | Active since October 2024 (previously 18.210.119.234) |
Europe
Allow this IP address for both the Production and Demo environments.
| IP Address | Active |
|---|---|
| 18.158.116.18 | Active |
Updated about 5 hours ago