Use Webhooks

Webhooks are used to notify your application of events that have occurred in the Fordefi platform.

When you create a webhook, a notification is sent each time a triggering event occurs. The following events are currently supported by the platform:

  • Incoming transactions received by the system
  • Status changes of outgoing transactions (such as signed, mined, and others)

Monitor Webhooks

In the Fordefi web console, click Settings, then click the Webhooks tab.

This screen displays all the webhooks you have created. The following details are shown:

  • Webhook name

  • Callback URL

  • Trigger (currently, transactions only)

  • Created date and author

  • Date of latest successful call

  • Webhook status. Can be one of the following:

    • Active: webhook notifications are being sent successfully.

    • Active with error: the last webhook was not received but the webhook will continue sending notifications.

    • Suspended: Fordefi tried sending notifications for five days and failed; further webhook notification was suspended. Right-click on a suspended webhook to display more options for testing, deleting, or reviving the webhook.

Configure a Webhook

  1. In the Fordefi web console, click Settings, then click the Webhooks tab.

  2. Click Configure webhook.

    In the dialog that appears, enter:

    • Webhook subscription name: A descriptive name for the webhook.
    • Callback URL: The URL to which Fordefi should deliver the notification. For example,https://your-domain.com/webhook/path. Only HTTPS addresses are permissible.
    • Trigger: Choose a trigger from the list. Currently, only Transactions is supported.
  3. Click Configure.

Webhook Event Structure

Webhook messages sent by the Fordefi platform to your service use JSON structures. See the Fordefi API reference for more information.

Validate a Webhook

Each webhook notification includes a signature on the payload. This signature is used to validate the webhook message by verifying that it actually came from Fordefi's backend and was not tampered with by any MiTM attacks or malicious actors.

The following is an example of code that validates the webhook signature:

import base64
import hashlib
import ecdsa
from ecdsa.util import sigdecode_der
from flask import Flask, request
from http import HTTPStatus

app = Flask(__name__)


FORDEFI_PUBLIC_KEY = """
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQJ0NeDYQqqeCvgDofFsgtgaxk+dx
ybi63YGJwHz8Ebx7YQrmwNWnW3bG65E8wGHqZECjuaK2GKHbZx1EV2ws9A==
-----END PUBLIC KEY-----
"""

signature_pub_key = ecdsa.VerifyingKey.from_pem(FORDEFI_PUBLIC_KEY)


@app.route("/", methods=["POST"])
def handle():
    signature = request.headers.get("X-Signature")
    if signature is None:
        return "Missing signature", HTTPStatus.UNAUTHORIZED

    if not signature_pub_key.verify(
        signature=base64.b64decode(signature),
        data=request.get_data(),
        hashfunc=hashlib.sha256,
        sigdecode=sigdecode_der,
    ):
        return "Invalid signature", HTTPStatus.UNAUTHORIZED

    print(f"Received event: {request.get_data().decode()}")
    return "OK", HTTPStatus.OK


if __name__ == "__main__":
    app.run(port=8080, debug=True) 

Resend Notifications

Resend all failed webhook notifications

To achieve high reliability and deliverability of event notifications, Fordefi implements a webhook retry when an attempt to send a webhook message has failed. The mechanism employs exponential backoff, where the wait time is increased exponentially after every failure by two seconds, four seconds, eight seconds and so on, until the maximum backoff time of 12 hours is reached. Then, a retry is attempted each 12 hours, until three days after the first attempt, when retries end.

Resend missed notifications for a specific transaction

In the event that you missed a webhook, you can POST a Trigger Transaction Webhook call. It will resend two transaction-state-change events: one, for the first state of the transaction and a second, for the last state of the transaction.