Webhooks

Skadi pushes lifecycle events to a partner-supplied HTTPS URL. Delivery is at-least-once, signed with HMAC-SHA256, with exponential backoff and dead-letter after 8 attempts.

Event catalog

Payload

{
  "id":         "5b5c0a3f-71b8-4f4a-9a1d-9c3a92e4f9a1",
  "event_type": "policy.endorsed",
  "created_at": "2026-06-01T15:42:11.123Z",
  "trace_id":   "8b1c0a3f71b84f4a9a1d9c3a92e4f9a1",
  "data": {
    "transaction_id":    "...",
    "policy_id":         "...",
    "sequence_number":   3,
    "transaction_type":  "endorsement",
    "effective_date":    "2026-06-01",
    "applied_at":        "2026-06-01T15:42:10.998Z",
    "premium_change":    1250.00,
    "new_total_premium": 12750.00
  }
}

Signature

Skadi-Webhook-Signature: t=1716393600,v1=<hex_hmac_sha256>
Skadi-Webhook-Event-Id:  <event uuid>
Skadi-Webhook-Event-Type: policy.endorsed
traceparent:             00-<trace-id>-<span-id>-01

The MAC is computed over the literal string ${t}.${rawBody} with your endpoint's signing_secret. Verify with constant-time equality and reject if t is more than 5 minutes off your wall clock.

Retry schedule

After 8 failed attempts the delivery moves to the dead-letter queue and stops retrying.

Idempotency

Delivery is at-least-once. The Skadi-Webhook-Event-Id header (and the id field in the body) are stable across retries — store them and return 2xx on duplicates.

Configuring an endpoint

Internal admins manage webhook endpoints in the underwriter app's admin panel. Partner self-serve registration through this docs portal is still on the roadmap — until it ships, contact partner-eng@skadispecialty.com with your target URL, the event types you want (or * for all), and your agency group ID. We provision a 32+ character signing secret returned once at creation.