Skip to main content
Didit Raises $7.5M to Build the Infrastructure for Identity and Fraud
Didit
Back to blog
Blog · March 7, 2026

Deploying Didit Webhook Listeners in Multi-Cloud Kubernetes

Effectively deploying Didit webhook listeners in a multi-cloud Kubernetes environment requires careful architectural planning for high availability, security, and scalability.

By DiditUpdated
deploying-didit-webhook-listeners-in-multi-cloud-kubernetes.png

Strategic Ingress ConfigurationUtilize advanced Ingress controller features like path-based routing and TLS termination to securely expose webhook endpoints across various cloud providers, ensuring seamless traffic management and load balancing for Didit webhooks.

Enhanced Security MeasuresImplement HMAC-SHA256 signature verification for every incoming Didit webhook to confirm authenticity and prevent tampering, adding a critical layer of security to your identity verification workflows.

High Availability Across CloudsDesign your Kubernetes deployments and Ingress rules to distribute webhook listener instances across multiple cloud regions or providers, guaranteeing uninterrupted service and resilience against regional outages.

Didit's Seamless IntegrationDidit's flexible API and configurable webhooks, coupled with its modular, AI-native architecture, simplify the integration process into complex multi-cloud Kubernetes setups, providing real-time verification results and robust data retention controls.

The Challenge of Multi-Cloud Webhook Deployment

In today's distributed application landscape, leveraging multi-cloud environments for resilience, cost optimization, and geographic reach is increasingly common. However, deploying critical components like webhook listeners, especially for sensitive operations like identity verification, introduces unique complexities. Webhooks are essential for receiving real-time notifications from services like Didit after an identity verification session completes. Ensuring these notifications are delivered securely, reliably, and efficiently across different cloud providers, often managed by Kubernetes, is paramount.

The primary challenges include consistent network routing, secure endpoint exposure, load balancing, and maintaining data integrity and authenticity. Without a well-thought-out strategy, companies risk missed notifications, security vulnerabilities, and operational overhead. This is particularly true for identity verification processes where timely updates are crucial for user onboarding, compliance, and fraud prevention. Didit's ID Verification, Liveness Detection, and AML Screening services rely on these real-time updates to inform your applications instantly.

Leveraging Kubernetes Ingress for Unified Access

Kubernetes Ingress controllers serve as the gateway to your cluster, abstracting away the complexities of network routing and providing a unified entry point for external traffic. In a multi-cloud environment, Ingress becomes even more critical. You can deploy Ingress controllers (like NGINX, HAProxy, or cloud-specific ones such as AWS ALB Ingress Controller or Google Cloud Ingress) in each Kubernetes cluster across your different cloud providers. This allows you to define a consistent way to expose your Didit webhook listener services.

Key strategies for Ingress in a multi-cloud webhook setup:

  • Centralized Domain Management: Use a single, consistent domain for your webhooks, with DNS configured to point to the appropriate Ingress controller in each cloud region/provider. This simplifies webhook URL management within Didit's configuration.
  • Path-Based Routing: Define specific paths (e.g., /webhooks/didit) in your Ingress rules to direct Didit's webhook notifications to the correct backend service, ensuring that only relevant traffic reaches your listener.
  • TLS Termination: Always terminate TLS at the Ingress controller. This offloads encryption/decryption from your backend services and ensures secure communication from Didit to your infrastructure.
  • Load Balancing: Ingress controllers inherently provide load balancing capabilities, distributing incoming webhook requests among multiple instances of your listener application, crucial for handling peak loads.

Ensuring Security: Signature Verification and Data Retention

Security is non-negotiable when dealing with identity verification data. Didit's webhooks come with built-in security features that you must leverage. Every Didit webhook notification includes an X-Signature header containing an HMAC-SHA256 signature. This signature, generated using a shared secret key, allows your application to verify the authenticity and integrity of the webhook payload. You can retrieve and rotate this secret_shared_key via Didit's API, ensuring that only Didit-generated webhooks are processed by your listeners.

Your webhook listener must perform the following steps for every incoming request:

  1. Read the raw request body before any JSON parsing.
  2. Calculate the HMAC-SHA256 signature of the raw body using your secret_shared_key.
  3. Compare your calculated signature with the X-Signature header. If they don't match, reject the request.
  4. Validate the timestamp (also provided in headers) to ensure the webhook is fresh and mitigate replay attacks.
  5. Process the JSON payload, updating your user records or triggering downstream workflows based on the verification status (e.g., approved, rejected, manual_review).

Additionally, Didit provides robust data retention controls. As a data processor, Didit empowers you, the data controller, to define how long verification data is stored. You can configure data retention policies (from 1 month to 10 years, or unlimited) in the Business Console, helping you comply with GDPR and other local data protection regimes. This flexibility, combined with secure webhooks, ensures you maintain strict control over sensitive user data.

Achieving High Availability and Disaster Recovery

A multi-cloud strategy isn't just about spreading workloads; it's about resilience. To achieve high availability for your Didit webhook listeners, consider an active-active or active-passive deployment model across your cloud providers. This means:

  • Redundant Deployments: Deploy your webhook listener application and its associated Ingress controllers in at least two different cloud regions or even different cloud providers.
  • Global DNS: Use a global DNS service (like AWS Route 53, Google Cloud DNS, or a third-party provider) with health checks to route traffic to the healthy Ingress controller in the active region. If one region fails, DNS automatically directs traffic to the other.
  • Database Replication: Ensure your backend database, where verification results are stored, is replicated across regions or clouds to maintain data consistency and availability.
  • Idempotency: Design your webhook processing logic to be idempotent. This means that processing the same webhook notification multiple times will not lead to unintended side effects, which is crucial in distributed systems where retries or duplicate deliveries can occur.

By implementing these strategies, your system can gracefully handle outages in a single cloud region or provider, ensuring that Didit's real-time verification updates continue to be received and processed without interruption, supporting critical operations like Proof of Address verification and Age Estimation.

How Didit Helps

Didit is engineered to be the open, modular identity layer of the internet, making it inherently suitable for complex, distributed architectures like multi-cloud Kubernetes. Our flexible API and robust webhook system allow for seamless integration into your existing infrastructure, providing real-time identity verification results. Didit's modular design means you can cherry-pick the exact identity checks you need—from ID Verification (OCR, MRZ, barcodes) and Passive & Active Liveness to 1:1 Face Match, AML Screening, and Phone & Email Verification—and receive instant updates via webhooks.

With Didit, you benefit from:

  • Free Core KYC: Start verifying identities without upfront costs, making multi-cloud experimentation affordable.
  • Modular Architecture: Easily integrate specific identity primitives, and receive granular webhook notifications tailored to each check.
  • AI-Native Platform: Our AI-powered verification ensures high accuracy and speed, delivering quick results to your webhook listeners.
  • Configurable Webhooks: Set your webhook URL, payload version (v3 recommended), and rotate your secret key directly through the API or Business Console, giving you full control over your notification stream.
  • Data Retention Controls: Manage your data retention policy directly in the Business Console, ensuring compliance with global data protection regulations across all your cloud deployments.
  • No Setup Fees: Get started immediately and integrate into your multi-cloud environment without hidden costs.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page
Deploy Didit Webhook Listeners in Multi-Cloud Kubernetes.