{
  "status": 400,
  "code": "INVALID_INPUT",
  "message": "<string>",
  "details": {}
}

Webhooks

Kyc customer status change

Webhook that is called when the KYC status of a customer is updated. This endpoint should be implemented by clients of the Grid API.

Authentication

The webhook includes a signature in the X-Grid-Signature header that allows you to verify that the webhook was sent by Grid. To verify the signature:

Get the Grid API public key provided to you during integration
Decode the base64 signature from the header
Create a SHA-256 hash of the request body
Verify the signature using the public key and the hash

If the signature verification succeeds, the webhook is authentic. If not, it should be rejected.

KYC/B Flow

This webhook is triggered when KYC/B has reached a decision on a customer. Generally most customers will finish KYC within a few minutes. Others might be rejected because of incorrect data passed in or may have been flagged for manual review. The webhook will only trigger for final states. This will be APPROVED, REJECTED, EXPIRED, CANCELED, MANUALLY_APPROVED, MANUALLY_REJECTED.

APPROVED: The customer has been approved.
REJECTED: The customer has been rejected after a KYC check.
PENDING_REVIEW: KYC check is in progress.
EXPIRED: KYC check has expired. This is generally because a customer did not submit all required information needed within a session.
CANCELED: KYC check was canceled.
MANUALLY_APPROVED: The customer was manually approved.
MANUALLY_REJECTED: The customer was manually rejected.
NOT_STARTED: KYC has not started on the customer.

POST

kyc-status

{
  "status": 400,
  "code": "INVALID_INPUT",
  "message": "<string>",
  "details": {}
}

Authorizations

X-Grid-Signature

string

header

required

Secp256r1 (P-256) asymmetric signature of the webhook payload, which can be used to verify that the webhook was sent by Grid.

To verify the signature:

Get the Grid public key provided to you during integration
Decode the base64 signature from the header
Create a SHA-256 hash of the request body
Verify the signature using the public key and the hash

If the signature verification succeeds, the webhook is authentic. If not, it should be rejected.

Body

application/json

timestamp

string<date-time>

required

ISO8601 timestamp when the webhook was sent (can be used to prevent replay attacks)

Example:

"2025-08-15T14:32:00Z"

webhookId

string

required

Unique identifier for this webhook delivery (can be used for idempotency)

Example:

"Webhook:019542f5-b3e7-1d02-0000-000000000007"

type

enum<string>

required

Type of webhook event

Available options:

INCOMING_PAYMENT,

OUTGOING_PAYMENT,

TEST,

BULK_UPLOAD,

INVITATION_CLAIMED,

KYC_STATUS,

ACCOUNT_STATUS

customerId

string

required

System generated id of the customer

Example:

"Customer:019542f5-b3e7-1d02-0000-000000000001"

kycStatus

enum<string>

required

The current KYC status of a customer

Available options:

APPROVED,

REJECTED,

PENDING_REVIEW,

EXPIRED,

CANCELED,

MANUALLY_APPROVED,

MANUALLY_REJECTED

Example:

"APPROVED"

Response

Webhook received successfully

Invitation claimed webhook Account status notification webhook

⌘I

Using the API

API documentation

Kyc customer status change

Authentication

KYC/B Flow

Authorizations

Body

Response