Build PassPost into your business systems

Integration kits

Quickstart

1. Create a Business account and generate an API key at /business/api.
2. Send the key as a Bearer token. Keys have scopes tasks:read and tasks:write.
3. Create a delivery task with one POST. Subscribe to webhooks to track lifecycle.

curl — create a task
curl -X POST https://passpost.app/api/public/v1/tasks \
  -H "Authorization: Bearer pp_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "item": "Forgotten passport",
    "category": "Documents",
    "size": "envelope",
    "urgency": "express",
    "reward_nok": 250,
    "pickup":  { "city": "Oslo",   "address": "Hotel Bristol, Kristian IVs gate 7" },
    "dropoff": { "city": "Gardermoen", "address": "Oslo Airport, Terminal 2" },
    "recipient": { "name": "Jane Doe", "phone": "+4790000000" },
    "external_reference": "RES-2026-00042"
  }'

Webhooks

Subscribe to task.accepted,task.picked_up,task.delivered,task.completed andtask.cancelled. Every delivery is signed with HMAC-SHA256 of the raw body using your webhook secret. Verify it before trusting the payload.

Node.js — verify signature
import crypto from "crypto";

export function verifyPassPost(req, secret) {
  const sig = req.headers["x-passpost-signature"]; // "sha256=..."
  if (!sig) return false;
  const expected = "sha256=" + crypto
    .createHmac("sha256", secret)
    .update(req.rawBody) // the unparsed request body
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
}

Python — verify signature
import hmac, hashlib

def verify_passpost(raw_body: bytes, header_sig: str, secret: str) -> bool:
    expected = "sha256=" + hmac.new(
        secret.encode(), raw_body, hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(expected, header_sig or "")

Limits & reliability