Watch turns AUO from a lookup into a monitor. You subscribe to an entity, and AUO POSTs a signed event to your URL whenever a monitored change is detected across the same red-flag sources that back screening.

The flow

1

Create a subscription

Call POST /v1/watch with the events, your webhook URL, and the entities to watch. Store the secret returned once in the response.
2

Receive signed events

AUO POSTs each event to your URL with an X-AUO-Signature header. Verify it before trusting the payload.
3

Respond 2xx

Return any 2xx to acknowledge. A non-2xx or a timeout is retried with backoff. If all retries are exhausted the event is marked failed but stays readable via changes, so you never lose it.

Verifying the signature

Each delivery carries:
  • X-AUO-Signature: t={unixTimestamp},v1={hex} where hex is the HMAC-SHA256 of the string "{t}.{rawBody}" using your subscription’s signing secret.
  • X-AUO-Event-Id: {id}, unique per event and stable across retries (use it to deduplicate).
Verify the HMAC and that the timestamp is recent, to defeat replay attacks.
import crypto from "node:crypto";

function verify(rawBody, header, secret, toleranceSeconds = 300) {
  const parts = Object.fromEntries(header.split(",").map((p) => p.split("=")));
  const t = Number(parts.t);
  if (!t || Math.abs(Date.now() / 1000 - t) > toleranceSeconds) return false; // replay guard
  const expected = crypto
    .createHmac("sha256", secret)
    .update(`${t}.${rawBody}`)
    .digest("hex");
  // constant-time compare
  const a = Buffer.from(expected);
  const b = Buffer.from(parts.v1 ?? "");
  return a.length === b.length && crypto.timingSafeEqual(a, b);
}
Verify against the raw request body, byte for byte, before any JSON parsing or re-serialization. Re-encoding the body changes the bytes and breaks the signature.

The event taxonomy

Subscribe to any subset of these event types when you create the subscription:
EventFires on
deregistrationA company transitions to a deregistered status.
name_changeA current name changes (company or business name).
abn_cancelledThe entity’s ABN is cancelled.
gst_deregisteredGST registration is removed.
banned_matchThe entity newly matches a banned or disqualified register.
sanctions_matchThe entity newly matches the DFAT sanctions list.
external_administrationAn external administration or insolvency notice appears.
bankruptcy_petition_filedA bankruptcy petition is filed (an allegation, not adjudicated status).
charity_status_changeACNC registration status changes.
licensing_changeAn AFS or credit licence status changes.
professional_registration_changeA financial adviser, auditor, or SMSF auditor registration changes.
relationship_changeA trustee or licensee relationship field changes.
austrac_roll_changeAn AUSTRAC reporting-entity roll change.
Screening events (banned_match, sanctions_match) are possible-match signals, the monitoring mirror of the screening posture. Treat them as prompts for review, not verdicts.

If you cannot receive webhooks

Poll GET /v1/entity//changes instead. Every event that a webhook would deliver is readable there, with its delivery status.

Rolling the secret

If a signing secret may have been exposed, call POST /v1/watch//roll. It returns a new secret once and invalidates the old one. Rolling your API key from the dashboard rotates the token and the webhook secret together.