Skip to main content
This page covers the verification step when first setting up a webhook on Dashboard. Please see our payload verification section for information on how to verify webhook payloads from vehicles.
When you first set up a webhook in the Smartcar Dashboard, Smartcar will post a challenge request to ensure we’re sending payloads to the correct place. This is a one time event and will be in the following format: 
{
  "eventId": "52f6e0bb-1369-45da-a61c-9e67d092d6db",
  "eventType": "VERIFY",
  "data": {
    "challenge": "<random-string>"
  },
  "meta": {
    "version": "4.0",
    "webhookId": "5a8e5e38-1e12-4011-a36d-56f120053f9e",
    "webhookName": "Example Webhook",
    "deliveryId": "5d569643-3a47-4cd1-a3ec-db5fc1f6f03b",
    "deliveredAt": "2025-07-31T19:38:42.332Z"
  }
}
Upon receiving the request, your server will need respond to the challenge by hashing payload.challenge with your application_management_token to create a SHA-256 based HMAC.
Our backend SDKs have helper methods to generate the HMAC.
    hmac = smartcar.hash_challenge(
            application_management_token, 
            payload.challenge
        )
Return the hex-encoded hash as the value for challenge in your response body with a 200 status code, and the Content-Type header set to application/json.
verificationResponse.body
{
  "challenge" : "{HMAC}"
}

Verify webhook challenges inside the Dashboard

Use the Smartcar Dashboard to understand exactly what Smartcar expects before you enable webhooks in production. The Verify webhook modal shows a sample challenge string plus language-specific snippets so you can implement the same HMAC signature in your code.
1

Implement the signature in your handler

Copy the challenge string from the modal and use the embedded snippets (Python, Node, Java, or Ruby) as references while you code the signature logic on your server. Run your handler locally or in staging so it is ready to answer Smartcar’s challenge.
2

Trigger Smartcar’s verification call

Once your server is ready, click Verify this webhook. Smartcar sends the challenge payload to your callback URL, and your code responds with the signature it just produced.
3

Compare expected vs actual responses

The Response tab displays the HTTP status, the challenge Smartcar sent, the signature Smartcar expected, and the body your server returned. Use this side-by-side view to confirm success or adjust your implementation before retrying.