Troubleshooting and Best Practices

RiskOS™ webhooks are asynchronous notifications sent to your endpoint when specific events occur (e.g., evaluation results, case updates, watchlist alerts).

What events can RiskOS notify me about?

• Evaluation events: evaluation_completed, evaluation_paused, reevaluation, workflow_execution_failed
• Case events
• Watchlist monitoring and case events
• DocV events (progress and final decisions)

Do I need webhooks if I’m already calling the Evaluation API synchronously?

• Yes. The synchronous API provides an immediate response, while webhooks deliver asynchronous updates such as final decisions and downstream workflow results.

What event types exist?

• Evaluation events: evaluation_completed, evaluation_paused, reevaluation, workflow_execution_failed
• Case events
• Watchlist monitoring and case events
• DocV events (progress vs. final decision)

What fields are included in webhook payloads?

• event_id
• event_type
• workflow
• eval_id
• created_at
• Additional nested data depending on the event type

Which events should I subscribe to for DocV?

• case_notes_added → Progress updates
• evaluation_completed → Final decision

Which webhooks should I use for different solutions?

• Consumer Onboarding
• Login & Authentication
• Business Onboarding
• Hosted Flows

Typically:

• evaluation_completed (core event)
• Optional: case events or DocV events depending on your workflow

Where can I find webhook docs in context?

• Build with RiskOS → Webhooks / Event Subscription Types
• Solution documentation pages linking to webhook configuration

Where do I create or edit a webhook?

• Developer Workbench → Webhooks

What fields are required?

• Name
• URL
• Use Case
• Event Type(s)
• Authentication Type

How do I test a webhook before going live?

• Use the Continue to Test button to send a sample payload. Success or failure is shown inline.

What authentication methods are supported?

• Basic Authentication
• Bearer Token
• OAuth2 (client ID/secret + token URL)

Do I have to use HTTPS?

• Yes. Your endpoint must support HTTPS and accept JSON POST requests.

How do I restrict incoming webhook traffic?

• Use IP allowlisting for RiskOS™ outbound IP ranges (sandbox and production).

Can I use additional security controls?

• mTLS (optional)
• Web Application Firewalls (WAFs)
• Payload encryption

⚠️ Avoid exposing sensitive data to third-party webhook testing tools.

What happens if my endpoint is down or slow?

• RiskOS™ retries failed deliveries using exponential backoff.
• Retry attempts: up to 10 times
• From the 6th attempt onward, retries occur at ~1-minute intervals

Which status codes trigger retries?

• 504, 503, 502, 429, 423, 409, 408

How do I make webhook processing idempotent?

• Use the event_id to detect and ignore duplicates and design your system to safely handle replays.

Why is the Dashboard test failing?

• Often due to WAF or firewall blocking RiskOS™ IPs.
• Solution: allowlist sandbox/prod IP ranges and retry.

Can I re-run a webhook test without enabling it?

• Yes. You can manually trigger tests from Developer Workbench → Webhooks.

What watchlist events are available?

• Monitoring events (entity matched, updated, removed)
• Case Management events (case approved, closed)

Do I need a special endpoint or certificate?

• In some cases, you must upload your server’s TLS certificate when registering the endpoint.

Do you have example code for receiving webhooks?

• Yes. Node.js (Express) and Python (Flask) examples are available.
• They demonstrate validation, idempotency, and async processing patterns.

Can I process webhooks asynchronously?

• Yes (recommended).
• Return a 2xx response quickly, then process events in background workers.