search
Ctrlk

πŸͺWebhooks

API reference for webhook-related endpoints

hashtag
Subscription

hashtag
Managing Webhook Subscriptions

You can create a new webhook subscription or update an existing one using a PUT request to /webhooks. Whether you prefer to receive notifications for all entities through a single callback URL or require more granular configuration, you can achieve this by using the types parameter in the request body.

hashtag
Create new or update an existing webhook

put
/webhooks

Creates new webhook subscription or updates an existing one

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
SignaturestringRequired

HTTP message signature

Signature-InputstringRequired

HTTP message signature input

Idempotency-Keystring Β· uuidRequired

Idempotency key (UUID)

Content-DigeststringRequired

Content digest

Body
idstring Β· uuidOptional

Unique ID of the webhook to be updated

callbackUrlstring Β· uriRequired

URL to be subscribed for receiving events

Example: https://example.com/callback
Responses
chevron-right
200

Successful operation

application/json

Webhook details for subscribed callback URL receiving entity update events

idstring Β· uuidRequired

Unique webhook ID

callbackUrlstring Β· uriRequired

URL to be subscribed for receiving events

Example: https://example.com/callback
createdAtstring Β· date-timeRequired

Date this webhook was created (ISO-8601)

updatedAtstring Β· date-timeRequired

Date this webhook was last updated (ISO-8601)

put
/webhooks

hashtag
Retrieving Webhook Subscriptions

You can retrieve and existing webhook subscription using a GET request to /webhooks/{webhookId}.

hashtag
Retrieve webhook subscription information

get
/webhooks/{webhookId}

Retrieves webhook subscription information

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
webhookIdstring Β· uuidRequired

Unique webhook ID

Header parameters
SignaturestringRequired

HTTP message signature

Signature-InputstringRequired

HTTP message signature input

Responses
chevron-right
200

Successful operation

application/json

Webhook details for subscribed callback URL receiving entity update events

idstring Β· uuidRequired

Unique webhook ID

callbackUrlstring Β· uriRequired

URL to be subscribed for receiving events

Example: https://example.com/callback
createdAtstring Β· date-timeRequired

Date this webhook was created (ISO-8601)

updatedAtstring Β· date-timeRequired

Date this webhook was last updated (ISO-8601)

get
/webhooks/{webhookId}

To retrieve all active webhook subscriptions, make a GET request to /webhooks.

hashtag
Retrieve all active webhooks

get
/webhooks

Retrieves all active webhooks

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
SignaturestringRequired

HTTP message signature

Signature-InputstringRequired

HTTP message signature input

Responses
chevron-right
200

Successful operation

application/json

Webhook details for subscribed callback URL receiving entity update events

idstring Β· uuidRequired

Unique webhook ID

callbackUrlstring Β· uriRequired

URL to be subscribed for receiving events

Example: https://example.com/callback
createdAtstring Β· date-timeRequired

Date this webhook was created (ISO-8601)

updatedAtstring Β· date-timeRequired

Date this webhook was last updated (ISO-8601)

get
/webhooks

hashtag
Removing Webhook Subscriptions

If you wish to remove a webhook subscription, you can do so by sending a DELETE request to /webhooks/{webhookId}.

hashtag
Remove webhook subscription

delete
/webhooks/{webhookId}

Removes webhook subscription

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
webhookIdstring Β· uuidRequired

Unique webhook ID

Header parameters
SignaturestringRequired

HTTP message signature

Signature-InputstringRequired

HTTP message signature input

Idempotency-Keystring Β· uuidRequired

Idempotency key (UUID)

Responses
delete
/webhooks/{webhookId}
No content

hashtag
Schema

circle-exclamation

This portion of our API is in active development and may be updated frequently. Please, reach out to us if something is not working or not working as expected

Every webhook event object has a discriminator webhookType field followed by all fields included in a respective entity schema:

chevron-rightCustomer Updated Eventhashtag
chevron-rightAccount Updated Eventhashtag
chevron-rightCard Updated Eventhashtag
chevron-rightAuthorisation Updated Eventhashtag
chevron-rightTransaction Updated Eventhashtag

hashtag
Webhook retry policy

We consider a webhook successfully delivered when we receive a success status code (2xx) from your webhook URI.

If we receive any other status code (for instance, if your API is temporarily unavailable), we will start retrying. Our retry policy is similar to jittered exponential backoffarrow-up-right. We will immediately perform some fast retries and then start waiting increasingly longer. We will keep retrying for up to 24 hours. If we continue to receive any other status codes than 2xx after retrying for 24 hours, we will discard the webhook.

We apply this retry policy for all supported entities.

hashtag
Handling duplicated webhooks

OffBlocks can't guarantee that you only receive a single webhook notification for each update. As such, your integration should have logic that can handle receiving multiple webhooks for a given update. Similarly, due to networking limitations, we can't guarantee webhooks to be delivered in a correct chronological order. Your system needs to be able to handle out-of-order notifications.

For example, imagine OffBlocks sends a transaction.updated webhook with status processed, but doesn't receive a 200 response due to network issues from the recipient. In this case, OffBlocks sends an extra transaction.updated webhook with status processed as it can't confirm the previous one was received, regardless of the current status of the transaction. Your integration should be able to handle such possibilities.

hashtag
Webhook Notification Verification

Every webhook notification we send contains an HTTP signature that you can verify to ensure it has been sent from us, a verified source. Although it is not required, we strongly recommend verifying notification signature, or you risk accepting fraudulent events.

Each webhook notification contains a set of headers for you to verify, following the signing procedure outlined in Request Signatures. There are a few steps required to verifying the webhook signatures. We'll go through each one below.

hashtag
Retrieve Webhook Verification Key

To verify the signature, you need to grab a public key (encoded in PEM formatarrow-up-right). This is available through our REST API and can be retrieved by doing a GET call on the /webhooks/verification-key endpoint.

hashtag
Retrieve webhook verification key

get
/webhooks/verification-key

Retrieves webhook verification key

Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
SignaturestringRequired

HTTP message signature

Signature-InputstringRequired

HTTP message signature input

Responses
chevron-right
200

Successful operation

application/json

Webhook verification key

keyIdstring Β· uuidRequired

Unique ID of verification key

keystring Β· byteRequired

Base64 encoded public key used for verifying webhook notifications. Requirements for cryptographic algorithms and more details can be found in our documentation

get
/webhooks/verification-key

hashtag
Extract Webhook Headers

On each webhook HTTP request, there are three headers that will be needed for verification.

  • Content-Digest: a sha-512 hash of serialised request content, or body.

  • Signature-Input: a Dictionary structured field containing the metadata for a signatures generated from components within the HTTP request (see IETF specificationarrow-up-right for more details)

  • Signature: a Dictionary structured field containing a message signatures generated from the signature context of the target message (see IETF specificationarrow-up-right for more details)

All webhook requests are signed using ECDSA with curve P-384 DSS and SHA-384arrow-up-right as a signing algorithm, while digest is always calculated using sha-512 hashing algorithm.

hashtag
Verification

Now that you have the webhook body, webhook signature headers, and the public key, you can use these data points to do the verification.

We actively develop a Go libraryarrow-up-right to support HTTP message signatures as well as contribute to a Node.js libraryarrow-up-right. Reach out to us if you're using other technologies on your backend and we'll be happy to assist with any issues integrating HTTP message signatures.

For example, if you're using Go-based backend, you can use following code snippet to verify webhook request's digest and signature:

PreviousTransactionsNextSimulator

Last updated