How does Arkova verify documents without seeing them?

Arkova uses cryptographic fingerprinting (SHA-256) that runs entirely in your browser. We only store the fingerprint, a one-way mathematical proof, never the document itself. This fingerprint is then anchored to a permanent public record.

Can anyone verify a credential?

Yes. Verification is completely open. Anyone with a verification link or QR code can confirm a document's authenticity and timestamp independently. No account or software required.

What types of documents can I anchor?

Any digital file: PDFs, images, spreadsheets, presentations, contracts, certificates, transcripts. If it has a file, it can be fingerprinted and anchored.

How is this different from DocuSign or other e-signature tools?

E-signature tools prove who signed a document. Arkova proves that a specific document existed at a specific time and has not been altered since. These are complementary. You can anchor a signed document to prove it hasn't changed after signing.

Can I integrate Arkova into my existing systems?

Absolutely. Our Verification API lets you verify credentials programmatically with a single API call. Batch endpoints support up to 100 verifications per request. Webhook notifications provide real-time events.

Your documents never leave your device. That's our foundational privacy guarantee, not just a feature. Fingerprints are anchored to a public, independently verifiable network. Even if our servers were compromised, your documents remain private because we never had them.

How does Arkova work with our existing ATS or background check workflow?

Arkova's Verification API integrates with any system that can make an HTTP call. Your ATS, HRIS, or background screening platform calls our endpoint and receives a structured, verified response. We also support webhooks for real-time status updates and batch endpoints for bulk verification.

Webhooks

Last updated: March 27, 2026

1. Overview

Webhooks deliver real-time notifications when events occur in Arkova. Instead of polling the API, your server receives an HTTPS POST the moment something important happens.

HTTPS-only delivery (enforced at database level)
Every delivery is signed with HMAC-SHA256 for authenticity verification

Note

Webhooks are available on all plans. Configure them in Settings → Webhooks.

2. Setup

Navigate to Settings → Webhooks in the Arkova dashboard
Click "Add Endpoint"
Enter your HTTPS endpoint URL
Select which events to subscribe to
Copy your webhook signing secret (shown once)

Important

Your endpoint must respond with a 2xx status within 30 seconds. Non-2xx responses trigger retries.

3. Event Types

Event	Trigger	Description
`anchor.created`	New credential created	Fires when an anchor record is created
`anchor.secured`	Network confirmation	Fires when the anchor transaction is confirmed in a block
`anchor.revoked`	Credential revoked	Fires when a credential is revoked by the owner
`anchor.verified`	Verification lookup	Fires when someone verifies the credential (optional, high volume)
`attestation.created`	New attestation	Fires when an attestation claim is created
`attestation.revoked`	Attestation revoked	Fires when an attestation is revoked

4. Payload Format

Every webhook delivery sends a JSON body with the following shape:

json

{
  "event": "anchor.secured",
  "timestamp": "2026-03-15T14:30:00Z",
  "data": {
    "public_id": "ARK-2026-00091",
    "status": "SECURED",
    "bitcoin_block": 204567,
    "network_receipt_id": "b8e381df09ca404e...",
    "issuer_name": "University of Michigan",
    "credential_type": "DIPLOMA"
  },
  "idempotency_key": "wh_evt_abc123def456"
}

Headers included on every delivery:

X-Arkova-Signature — HMAC-SHA256 signature of the payload body
X-Arkova-Timestamp — ISO 8601 UTC timestamp
X-Arkova-Event — Event type (e.g., anchor.secured)

5. Signature Verification

Important

Always verify webhook signatures. Reject unsigned or incorrectly signed payloads.

Node.js / TypeScript

typescript

import crypto from 'crypto';

function verifySignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Python

python

import hmac
import hashlib

def verify_signature(payload: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(), payload, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(signature, expected)

6. Retry Policy

Attempt	Delay	Total Elapsed
1	Immediate	0
2	1 minute	1 min
3	5 minutes	6 min
4	30 minutes	36 min
5	2 hours	~2.5 hours

After all 5 attempts are exhausted, the event goes to a dead letter queue (retained 30 days)
Manual replay is available from the dashboard
Consecutive failures trip a circuit breaker — the endpoint is disabled and probed after a cooldown period
Rate limit: 100 deliveries/minute per organization

7. Best Practices

Return 200 quickly, then process async — don't do heavy work in the handler
Use the idempotency_key to deduplicate — the same event may be delivered more than once
Verify signatures on every request — never trust unverified payloads
Use a queue (Redis, SQS) for processing — decouple receipt from handling
Monitor your endpoint's error rate in the Arkova dashboard
Set up alerting for webhook failures