Skip to main content
This page covers initial endpoint verification. For verifying webhook payload signatures from vehicles, see Payload Verification.
When you create a webhook or update a callback URI in the Smartcar Dashboard, Smartcar sends a one-time VERIFY event to confirm your endpoint is ready. Your endpoint must respond correctly before Smartcar will deliver any vehicle data.

The VERIFY Event

Smartcar sends a challenge request to your callback URI in this format: 
{
  "eventId": "52f6e0bb-1369-45da-a61c-9e67d092d6db",
  "eventType": "VERIFY",
  "data": {
    "challenge": "<random-string>"
  },
  "meta": {
    "version": "4.0",
    "webhookId": "5a8e5e38-1e12-4011-a36d-56f120053f9e",
    "webhookName": "Example Webhook",
    "deliveryId": "5d569643-3a47-4cd1-a3ec-db5fc1f6f03b",
    "deliveredAt": "2025-07-31T19:38:42.332Z"
  }
}

Required Response

Your endpoint must respond with:
  1. Status code: 200 OK
  2. Content-Type header: application/json
  3. Response body: A JSON object containing the HMAC-SHA256 hash of the challenge

Generate the HMAC

Create an HMAC-SHA256 hash of the challenge string using your Application Management Token as the secret key:
Our backend SDKs have helper methods to generate the HMAC.
    let hmac = smartcar.hashChallenge(
        application_management_token, 
        payload.challenge
    );

Return the Response

Return the hex-encoded hash in your response body with the key challenge:
Response Body
{
  "challenge": "{HMAC-hex-string}"
}
If your endpoint fails to respond correctly within 15 seconds, Smartcar will not activate the webhook. You can retry verification from the Dashboard at any time.

Verify webhook challenges inside the Dashboard

Use the Smartcar Dashboard to understand exactly what Smartcar expects before you enable webhooks in production. The Verify webhook modal shows a sample challenge string plus language-specific snippets so you can implement the same HMAC signature in your code.
1

Implement the signature in your handler

Copy the challenge string from the modal and use the embedded snippets (Python, Node, Java, or Ruby) as references while you code the signature logic on your server. Run your handler locally or in staging so it is ready to answer Smartcar’s challenge.
2

Trigger Smartcar’s verification call

Once your server is ready, click Verify this webhook. Smartcar sends the challenge payload to your callback URL, and your code responds with the signature it just produced.
3

Compare expected vs actual responses

The Response tab displays the HTTP status, the challenge Smartcar sent, the signature Smartcar expected, and the body your server returned. Use this side-by-side view to confirm success or adjust your implementation before retrying.