POST to that URL with the result. It’s faster, real-time, and scales without wasting requests.
How you configure the URL depends on the job.
One URL, several events
Some jobs move through multiple events - a cost check, indexing, completion, an error - and you may want to react to each one separately. For these you give a single URL with a{STATUS} token, for example:
https://yoursite.com/copyleaks/{STATUS}/SCAN_ID
We replace {STATUS} with the event name before calling, so each event lands on its own path and your server handles them separately. Putting the job ID in the path is optional but recommended; it lets you match the call to the right record at a glance. Some jobs can also stream partial results as they’re found, before the job completes - handy for time-sensitive integrations.
The exact field and the full list of events depend on the product - see each product’s reference for specifics.
Identifying and trusting the call
Your endpoint is a public door on the internet, so treat every call as untrusted until verified. Pass adeveloperPayload at submission and we echo it back in every webhook - use it to match a call to your own record. To confirm a call really came from us, attach custom headers to every webhook carrying a secret such as a bearer token, then validate it on receipt and pass the call through your existing auth middleware. For stronger guarantees we also support HTTPS client certificates and, on Enterprise, delivery from a fixed set of static IPs you can allowlist.
Choosing the HTTP verb
By default we send each webhook as aPOST. Where a webhook uploads a file for you to store, you can choose the HTTP method instead (for example PUT) to match whatever your endpoint or storage target expects.
Export straight to a storage bucket
A webhook target doesn’t have to be your own server. When you only want to store an asset and there’s no logic to run, point the webhook at a storage service like Amazon S3, Google Cloud Storage, or Azure Blob Storage and we’ll upload the file directly into your bucket. This is a clean, serverless option: no endpoint to host, scale, or keep online. Use a signed/authorized upload URL, set the HTTP verb your provider expects (oftenPUT), and add any required auth via custom headers - the asset lands in your bucket with no code in between.
Designing for reliable delivery
Your endpoint must be publicly reachable over HTTPS and respond within 70 seconds with a2xx. Return success as soon as you’ve accepted the payload, then do the heavy work afterward.
On a timeout or 5xx, we retry automatically - up to 17 attempts on an exponential backoff (1, 2, 4, 8 seconds, and so on). Because of retries, delivery is at-least-once: the same webhook can occasionally arrive twice.
Make your handlers idempotent. Key off a stable identifier like the scan ID or your
developerPayload so receiving a webhook twice does no harm - no duplicate charges, no double-processing.Testing without spending credits
Setsandbox: true on any submission to receive real webhooks with mock results, free. It’s the fastest way to build and verify your receiver before going live.
Next steps
Authenticity Scan Webhooks
The full reference for authenticity scan webhooks and their configuration.
AI Image Detection (Async)
Submit an image and receive the detection result via webhook.
AI Video Detection
Submit a video and receive the detection result via webhook.
Webhooks Security
Secure your endpoints with secrets, certificates, and IP allowlisting.