REFERENCE

Webhooks

Subscribe to document-change events. We deliver HMAC-signed JSON over HTTPS and retry with exponential backoff (1m → 5m → 30m → 2h → 12h).

Create a subscription

The secret is returned once at creation — store it somewhere your worker can read. Only a SHA-256 hash is persisted on our side.

curl -X POST -H "Authorization: Bearer ld_live_…" \
  -H "Content-Type: application/json" \
  -d '{ "url": "https://example.com/hook", "event": "document.changed" }' \
  https://api.legaldata.cleolabs.co/v2/webhooks

Verify the signature

Every delivery carries an X-Cleo-Signature: sha256=… header. Compute HMAC-SHA256(secret, raw_body) and compare timing-safe. Anything else is a forgery — reject with 401.

See the REST reference for the full subscription / delivery schema.