Skip to main content

Webhooks Overview

Use webhooks to receive asynchronous provider callbacks and to inspect or replay authenticated card webhook events.

What Webhooks Cover

  • provider callback ingestion for card programs
  • authenticated review of stored card webhook events
  • replay of individual card webhook events when operationally required
For the canonical event catalogue, see Webhook Events.

Reviewed Public Endpoint Surface

The reviewed public webhook surface currently includes:
  • POST /api/v1/webhooks/cards/{provider} to receive provider callbacks
  • GET /api/v1/webhooks/cards/events/{card_id} to list authenticated card webhook events
  • POST /api/v1/webhooks/cards/events/{event_id}/replay to replay one authenticated card webhook event
  1. Accept the request quickly and return 2xx
  2. Verify the webhook signature
  3. Store the event idempotently
  4. Process the business effect asynchronously
  5. Keep replay-safe logic for retries and duplicate deliveries
Do not trust webhook payloads without signature verification.

Compatibility Notes

  • Generic webhook endpoint CRUD such as POST /webhooks or GET /webhooks/{id} is not part of the reviewed public gateway route set at this time.
  • If your tenant has managed webhook endpoint configuration, treat that as a separately issued contract or console capability rather than a reviewed public HTTP route.

Webhook Management Note

Compatibility note for older webhook-management docs

Verify Signatures

Validate webhook authenticity safely

Webhook Events

See the event catalogue and payload examples

Handling Webhooks

Implementation guide and reliability patterns