New to webhooks? Follow the step-by-step Subscribe to webhook events guide to register an endpoint, verify signatures, and handle retries.
Domains
Every event type is a stable identifier in the formv1.<domain>.<entity>.<action>. Events are grouped into the following domains — browse each domain in the sidebar to see its individual events, payloads, and schemas.
| Domain | What it covers |
|---|---|
| Questionnaire | Questionnaire lifecycle and export events |
| Trust Center | Trust Center access request events |
| Vendor | Vendor risk decision events |
| Information Request | Audit information request (IRL) status, comment, and evidence events |
| Evidence | Audit evidence status and comment events |
The Information Request and Evidence domains are auditor-specific — these events are only delivered to Audit Partner accounts during an active audit engagement. All other domains are delivered to your own Vanta account.
Delivery format
Vanta sends each event as an HTTPPOST with the event payload as the JSON body. Every delivery includes the following headers:
| Header | Description |
|---|---|
svix-id | The unique message identifier. Use it to deduplicate events. |
svix-timestamp | The timestamp of the message attempt (seconds since epoch). |
svix-signature | The Base64-encoded signature(s), space-delimited. Use it to verify the request originated from Vanta. |
Retry schedule
A delivery is considered failed if your endpoint doesn’t respond with a2xx status code within 15 seconds, including network timeouts. Vanta automatically retries failed deliveries using an exponential backoff schedule:
| Attempt | Delay after previous attempt |
|---|---|
| 1 | Immediately |
| 2 | 5 seconds |
| 3 | 5 minutes |
| 4 | 30 minutes |
| 5 | 2 hours |
| 6 | 8 hours |
| 7 | 1 day |
| 8 | 2 days |
Next steps
Set up webhooks
Register an endpoint, verify signatures, and handle retries.
Manage Vanta API
Look up the full objects referenced in webhook payloads.