Webhooks

Webhooks allow you to receive real-time notifications when events occur in your account. Instead of polling the API, webhooks push data to your server when things happen.

How It Works

Configure Endpoint

Add a webhook endpoint URL in your Dashboard

Subscribe to Events

Choose which events you want to receive

Receive Events

Your server receives POST requests with event data

Acknowledge

Return 2xx status to confirm receipt

Event Format

All webhook events follow this structure:

{
  "id": "evt_abc123",
  "type": "transaction.completed",
  "organizationId": "org_xyz",
  "createdAt": 1703520000000,
  "data": {
    "transactionId": "txn_123",
    "cardId": "card_456",
    "amount": 2500,
    "merchantName": "DoorDash"
  }
}

Event Types

Transactions

Event	Description
`transaction.authorized`	Pending hold placed
`transaction.completed`	Transaction settled
`transaction.declined`	Transaction rejected
`transaction.reversed`	Refund processed

Cards

Event	Description
`card.created`	Card issued
`card.frozen`	Card frozen
`card.closed`	Card closed
`card.expired`	TTL reached

Agents

Event	Description
`agent.created`	Agent created
`agent.suspended`	Agent suspended
`agent.limit_exceeded`	Spending limit hit

Users

Event	Description
`user.application.approved`	KYC passed
`user.application.denied`	KYC failed
`user.balance.updated`	Balance changed

Deposits & Withdrawals

Event	Description
`deposit.received`	Funds received
`deposit.address_ready`	Deposit address available
`withdrawal.submitted`	Withdrawal initiated
`withdrawal.confirmed`	Withdrawal confirmed
`withdrawal.failed`	Withdrawal failed

3DS

Event	Description
`challenge.requested`	OTP available

Disputes

Event	Description
`dispute.created`	Chargeback initiated
`dispute.resolved`	Chargeback resolved

Signature Verification

All webhooks include a signature for verification: Headers:

svix-id - Unique message ID
svix-timestamp - Unix timestamp
svix-signature - HMAC signature

Verification (Node.js):

import { Webhook } from 'svix';

const webhook = new Webhook(process.env.WEBHOOK_SECRET);

app.post('/webhooks', (req, res) => {
  try {
    const payload = webhook.verify(
      req.body,
      {
        'svix-id': req.headers['svix-id'],
        'svix-timestamp': req.headers['svix-timestamp'],
        'svix-signature': req.headers['svix-signature']
      }
    );

    // Process the event
    console.log(payload.type, payload.data);

    res.status(200).send('OK');
  } catch (err) {
    res.status(400).send('Invalid signature');
  }
});

Retry Policy

Failed deliveries are retried with exponential backoff:

Attempt	Delay
1	Immediate
2	5 seconds
3	5 minutes
4	30 minutes
5	2 hours
6	5 hours
7	10 hours
8	24 hours

After 8 failed attempts, the event is marked as failed.

Best Practices

Return 2xx quickly

Process events asynchronously. Return 200 immediately, then process in background.

Handle duplicates

Use the id field to deduplicate. The same event may be delivered multiple times.

Verify signatures

Always verify the webhook signature to ensure authenticity.

Use HTTPS

Your endpoint must use HTTPS in production.

Testing

Use the Dashboard to send test events to your endpoint:

Go to Settings > Webhooks
Select your endpoint
Click Send Test Event
Choose an event type

Overview

​Webhooks

​How It Works

​Event Format

​Event Types

​Transactions

​Cards

​Agents

​Users

​Deposits & Withdrawals

​3DS

​Disputes

​Signature Verification

​Retry Policy

​Best Practices

​Testing