You can create a new webhook subscription or update an existing one using a PUT request to /webhooks. Whether you prefer to receive notifications for all entities through a single callback URL or require more granular configuration, you can achieve this by using the types parameter in the request body.
Create new or update an existing webhook
put
/webhooks
Creates new webhook subscription or updates an existing one
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
SignaturestringRequired
HTTP message signature
Signature-InputstringRequired
HTTP message signature input
Idempotency-Keystring Β· uuidRequired
Idempotency key (UUID)
Content-DigeststringRequired
Content digest
Body
idstring Β· uuidOptional
Unique ID of the webhook to be updated
callbackUrlstring Β· uriRequired
URL to be subscribed for receiving events
Example: https://example.com/callback
Responses
200
Successful operation
application/json
400
Invalid request
401
Not authorised
500
Internal error
put
/webhooks
Retrieving Webhook Subscriptions
You can retrieve and existing webhook subscription using a GET request to /webhooks/{webhookId}.
Retrieve webhook subscription information
get
/webhooks/{webhookId}
Retrieves webhook subscription information
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
webhookIdstring Β· uuidRequired
Unique webhook ID
Header parameters
SignaturestringRequired
HTTP message signature
Signature-InputstringRequired
HTTP message signature input
Responses
200
Successful operation
application/json
400
Invalid request
401
Not authorised
404
Webhook not found
500
Internal error
get
/webhooks/{webhookId}
To retrieve all active webhook subscriptions, make a GET request to /webhooks.
Retrieve all active webhooks
get
/webhooks
Retrieves all active webhooks
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
SignaturestringRequired
HTTP message signature
Signature-InputstringRequired
HTTP message signature input
Responses
200
Successful operation
application/json
400
Invalid request
401
Not authorised
500
Internal error
get
/webhooks
Removing Webhook Subscriptions
If you wish to remove a webhook subscription, you can do so by sending a DELETE request to /webhooks/{webhookId}.
Remove webhook subscription
delete
/webhooks/{webhookId}
Removes webhook subscription
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Path parameters
webhookIdstring Β· uuidRequired
Unique webhook ID
Header parameters
SignaturestringRequired
HTTP message signature
Signature-InputstringRequired
HTTP message signature input
Idempotency-Keystring Β· uuidRequired
Idempotency key (UUID)
Responses
204
Successful operation
400
Invalid request
401
Not authorised
404
Webhook not found
500
Internal error
delete
/webhooks/{webhookId}
No content
Schema
This portion of our API is in active development and may be updated frequently. Please, reach out to us if something is not working or not working as expected
Every webhook event object has a discriminator webhookType field followed by all fields included in a respective entity schema:
We consider a webhook successfully delivered when we receive a success status code (2xx) from your webhook URI.
If we receive any other status code (for instance, if your API is temporarily unavailable), we will start retrying. Our retry policy is similar to jittered exponential backoff. We will immediately perform some fast retries and then start waiting increasingly longer. We will keep retrying for up to 24 hours. If we continue to receive any other status codes than 2xx after retrying for 24 hours, we will discard the webhook.
We apply this retry policy for all supported entities.
Handling duplicated webhooks
OffBlocks can't guarantee that you only receive a single webhook notification for each update. As such, your integration should have logic that can handle receiving multiple webhooks for a given update. Similarly, due to networking limitations, we can't guarantee webhooks to be delivered in a correct chronological order. Your system needs to be able to handle out-of-order notifications.
For example, imagine OffBlocks sends a transaction.updated webhook with status processed, but doesn't receive a 200 response due to network issues from the recipient. In this case, OffBlocks sends an extra transaction.updated webhook with status processed as it can't confirm the previous one was received, regardless of the current status of the transaction. Your integration should be able to handle such possibilities.
Webhook Notification Verification
Every webhook notification we send contains an HTTP signature that you can verify to ensure it has been sent from us, a verified source. Although it is not required, we strongly recommend verifying notification signature, or you risk accepting fraudulent events.
Each webhook notification contains a set of headers for you to verify, following the signing procedure outlined in Request Signatures. There are a few steps required to verifying the webhook signatures. We'll go through each one below.
Retrieve Webhook Verification Key
To verify the signature, you need to grab a public key (encoded in PEM format). This is available through our REST API and can be retrieved by doing a GET call on the /webhooks/verification-key endpoint.
Retrieve webhook verification key
get
/webhooks/verification-key
Retrieves webhook verification key
Authorizations
AuthorizationstringRequired
Bearer authentication header of the form Bearer <token>.
Header parameters
SignaturestringRequired
HTTP message signature
Signature-InputstringRequired
HTTP message signature input
Responses
200
Successful operation
application/json
400
Invalid request
401
Not authorised
500
Internal error
get
/webhooks/verification-key
Extract Webhook Headers
On each webhook HTTP request, there are three headers that will be needed for verification.
Content-Digest: a sha-512 hash of serialised request content, or body.
Signature-Input: a Dictionary structured field containing the metadata for a signatures generated from components within the HTTP request (see IETF specification for more details)
Signature: a Dictionary structured field containing a message signatures generated from the signature context of the target message (see IETF specification for more details)
All webhook requests are signed using ECDSA with curve P-384 DSS and SHA-384 as a signing algorithm, while digest is always calculated using sha-512 hashing algorithm.
Verification
Now that you have the webhook body, webhook signature headers, and the public key, you can use these data points to do the verification.
We actively develop a Go library to support HTTP message signatures as well as contribute to a Node.js library. Reach out to us if you're using other technologies on your backend and we'll be happy to assist with any issues integrating HTTP message signatures.
For example, if you're using Go-based backend, you can use following code snippet to verify webhook request's digest and signature:
GET /v1/webhooks/{webhookId} HTTP/1.1
Host: api.offblocks.xyz
Authorization: Bearer YOUR_SECRET_TOKEN
Signature: text
Signature-Input: text
Accept: */*
GET /v1/webhooks/verification-key HTTP/1.1
Host: api.offblocks.xyz
Authorization: Bearer YOUR_SECRET_TOKEN
Signature: text
Signature-Input: text
Accept: */*
