Skip to main content
When an assessment completes, Marmar queues an outbox event and attempts to deliver it to the tenant’s configured webhook URL. Payloads include a signed HMAC so receivers can verify authenticity before processing. Assessments are generated asynchronously. POST /v1/assessments returns a pending identifier immediately, and once processing finishes the completed, you would be able to fetch the details via GET /v1/tenants/{tenantCode}/assessments/{assessmentId}.

Signature verification

Each delivery includes headers:
  • X-Marmar-Event: always assessment.completed.
  • X-Marmar-Timestamp: Unix timestamp in seconds.
  • X-Marmar-Signature: v1= followed by the lowercase hex digest of HMAC_SHA256(secret, timestamp + "." + body).
Reject any payload older than five minutes or whose signature does not match. Using a constant-time comparison mitigates timing attacks.

Retries

If a delivery fails (non-2xx status, timeout, or network error) the platform retries with exponential backoff up to fifteen minutes. Afterwards the event is parked and can be retried manually. Configure webhook targets via PUT /v1/tenants/webhook. Setting the URL or secret to null disables outbound delivery.