Configure Your Webhook URL

Configure Webhook Settings

Use the MetaMap Dashboard webhook settings to configure a URL and secret to receive webhooks from your users' verifications. Visit the Integration tab and select webhooks to configure one webhook URL and webhook secret for each metamap ID you want to integrate into your application.


MetaMap uses a static IP to send webhooks

If your system uses IP filtering, make sure you can receive webhooks from all 4 of our IP addresses:


Metamap Dashboard screenshot: Configure new Webhook and Webhook URL and secret

Webhook Secret

You need to establish a 'webhook secret,' which serves as a shared key. We'll use this secret to hash the webhook payload and send it as header x-signature in our requests. By applying the same process on your end and comparing the resulting string with the one received in the header, you can always ensure that the webhook is originating from MetaMap and not from any other source. This mechanism provides security and authentication for your webhook communication.


Webhook Secret Requirements

Your webhook secret must:

  • Have ≥16 characters
  • Have ≥1 upper-case and ≥1 lower-case letter
  • Have ≥1 digit [0-9]

You can also use the "Generate a strong secret" button.

The following example in JavaScript adds a decoding script.

    const crypto = require('crypto');
    // A sample webhook coming from MetaMap
    const WEBHOOK_PAYLOAD = 
        eventName: 'verification_completed',
        metadata: {email: '[email protected]'},
        resource: '',
    const MERCHANT_SECRET = 'your_metamap_webhook_secret';
    // MetaMap hashes your webhook payload
    const signature = crypto.createHmac('sha256', MERCHANT_SECRET).update(JSON.stringify(WEBHOOK_PAYLOAD)).digest('hex');
    function verify(signature, secret, payloadBody) {
        let hash = crypto.createHmac('sha256', secret);
        hash = hash.update(payloadBody).digest('hex');
        return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(signature));
    let isValidPayload;
    isValidPayload = verify(signature, MERCHANT_SECRET, JSON.stringify(WEBHOOK_PAYLOAD));

For each verification that MetaMap processes, we will send you webhook events. Review our Webhook Specifications for more details on each event and how to access the Resource URL.