Webhooks Overview
The business webhook system delivers real-time event notifications to your configured endpoint. This page explains the delivery model, verification, and operational expectations shared by all webhook types.
Supported Events
Delivery Model
- An event occurs in the platform.
- A webhook job is queued for your configured webhook URL.
- The platform sends a
POSTrequest with a signed JSON payload. - Your server verifies the signature and processes the event.
- If your endpoint does not return
200 OK, delivery is retried.
Headers
Every webhook request includes these headers:
Content-Type: application/jsonUser-Agent: Transfaar-Business-API/1.0X-Transfaar-Signature: <hmac_signature>
Signature Verification
All webhooks are signed with HMAC-SHA256 using the secret associated with your business API key.
To verify a webhook correctly:
- Read the raw request body before JSON parsing.
- Compute
HMAC-SHA256over the raw body bytes using your stored secret key. - Hex-encode the digest.
- Compare your computed digest with
X-Transfaar-Signatureusing a constant-time comparison.
If the signatures do not match, reject the webhook and do not process the payload.
Python Example
Node.js Example
Use raw-body middleware such as express.raw() for webhook routes. If you parse JSON first, signature verification can fail because the raw bytes have changed.
Retries And Delivery Semantics
Webhook delivery is asynchronous and non-blocking.
- Delivery jobs are queued in the background.
- Retries use exponential backoff.
- Retries happen when your endpoint does not return
200 OK, including network failures and non-200 responses. - Failed deliveries are logged for inspection.
Best Practices
- Respond quickly with
200 OKafter validation. - Process heavy downstream work asynchronously in your own system.
- Make handlers idempotent because retries can happen.
- Log received events for support and reconciliation.
- Reject invalid signatures immediately.
Configuration
To receive webhooks, you must:
- Create a business API key through the business API key management endpoints
- Configure a webhook URL when creating or updating your API key
- Ensure your webhook endpoint is publicly accessible and can accept POST requests
- Implement webhook signature verification in your endpoint
Testing
Use the mock and sandbox tooling in your non-production environment to validate:
- signature verification
- retry handling
- idempotent processing
- event-specific payload handling