The flow
Create a subscription
Call POST /v1/watch with the events, your webhook URL, and
the entities to watch. Store the
secret returned once in the response.Receive signed events
AUO POSTs each event to your URL with an
X-AUO-Signature header. Verify it before
trusting the payload.Respond 2xx
Return any
2xx to acknowledge. A non-2xx or a timeout is retried with backoff. If
all retries are exhausted the event is marked failed but stays readable via
changes, so you never lose it.Verifying the signature
Each delivery carries:X-AUO-Signature: t={unixTimestamp},v1={hex}wherehexis the HMAC-SHA256 of the string"{t}.{rawBody}"using your subscription’s signing secret.X-AUO-Event-Id: {id}, unique per event and stable across retries (use it to deduplicate).
The event taxonomy
Subscribe to any subset of these event types when you create the subscription:| Event | Fires on |
|---|---|
deregistration | A company transitions to a deregistered status. |
name_change | A current name changes (company or business name). |
abn_cancelled | The entity’s ABN is cancelled. |
gst_deregistered | GST registration is removed. |
banned_match | The entity newly matches a banned or disqualified register. |
sanctions_match | The entity newly matches the DFAT sanctions list. |
external_administration | An external administration or insolvency notice appears. |
bankruptcy_petition_filed | A bankruptcy petition is filed (an allegation, not adjudicated status). |
charity_status_change | ACNC registration status changes. |
licensing_change | An AFS or credit licence status changes. |
professional_registration_change | A financial adviser, auditor, or SMSF auditor registration changes. |
relationship_change | A trustee or licensee relationship field changes. |
austrac_roll_change | An AUSTRAC reporting-entity roll change. |
Screening events (
banned_match, sanctions_match) are possible-match signals, the
monitoring mirror of the screening posture. Treat them
as prompts for review, not verdicts.