Vibrant
Search
K
Comment on page

Webhooks

Setup webhooks through the API in order to be notified of any Vibrant events.
curl
curl -X 'POST' \
'https://pos-api.sandbox.vibrant.app/pos/v1/webhooks' \
-H 'accept: application/json' \
-H 'apikey: vibrant_pos.YOUR_SECRET_KEY' \
-H 'Content-Type: application/json' \
-d '{
"enabledEvents": [
"payment_intent.succeeded"
],
"description": "My PI succeeded webhook",
"url": "https://myPlaceToReceiveWebhhoks.com/thanks",
"status": "enabled"
"metadata": {
"remember_this": "something"
}
}'
enabledEvents
It is possible to subscribe to one or more event types or * to get all events.
See the full list of possible event types in the API documentation: REST API doc create webhook
post
/pos/v1/webhooks
Create a webhook
url
The endpoint to which the events will be posted.
metadata
If desired it is possible to add some meta data to the webhook that can be retrieved again when getting the webhook object. The meta data will not be attached to the events.
status
Here it is possible to enable or disable the webhook.

Webhook event verification

Each webhook created in Vibrant holds a secret key.
This can be used to verify that the events posted to your webhook url is actually coming from Vibrant.
The secret key can be used to calculate an expected hash from a received message, to validate that the message in fact is from Vibrant and to this unique webhook.
How to verify messages:
Messages to a webhook hold a header named Vibrant-Signature.
The signature holds a timestamp and a hash, with comma in between.
t=1652744532,v0=1327f867e7efdzecb36ahfg46cgfs4fa51cad7e57f5g59pf736d6ce8f406d3fv
Follow these three steps to verify the Vibrant signature.
  1. 1.
    Create a string combining the value of timestamp t then a . and then the message body.
  2. 2.
    Compute a HMAC with the SHA256 hash function. Use the endpoint’s secret key as the key, and use the string from step 1. as the message.
  3. 3.
    Compare the Vibrant signature v0 from the header to the expected signature from step 2. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
The timestamp is used to prevent replay attacks resending a valid message to your endpoint. So you can check if the timestamp is too old.
Vibrant Sandbox - Previous
Terminal actions
Next - Vibrant Sandbox
Payouts
Last modified 6mo ago