This page covers the verification step when first setting up a webhook on Dashboard. Please see our payload verification section for information on how to verify webhook payloads from vehicles.
When you first set up a webhook in the Smartcar Dashboard, Smartcar will post a challenge request to ensure we’re sending payloads to the correct place. This is a one time event and will be in the following format: 
{
  "eventId": "52f6e0bb-1369-45da-a61c-9e67d092d6db",
  "eventType": "VERIFY",
  "data": {
    "challenge": "<random-string>"
  },
  "meta": {
    "version": "4.0",
    "webhookId": "5a8e5e38-1e12-4011-a36d-56f120053f9e",
    "webhookName": "Example Webhook",
    "deliveryId": "5d569643-3a47-4cd1-a3ec-db5fc1f6f03b",
    "deliveredAt": "2025-07-31T19:38:42.332Z",
  }
}
Upon receiving the request, your server will need respond to the challenge by hashing payload.challenge with your application_management_token to create a SHA-256 based HMAC.
Our backend SDKs have helper methods to generate the HMAC.
    hmac = smartcar.hash_challenge(
            application_management_token, 
            payload.challenge
        )
Return the hex-encoded hash as the value for challenge in your response body with a 200 status code, and the Content-Type header set to application/json.
verificationResponse.body
{
  "challenge" : "{HMAC}"
}