Webhooks

Setup webhooks through the API in order to be notified of any Vibrant events.

curl -X 'POST' \
  'https://pos-api.sandbox.vibrant.app/pos/v1/webhooks' \
  -H 'accept: application/json' \
  -H 'apikey: vibrant_pos.YOUR_SECRET_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
  "enabledEvents": [   
    "payment_intent.succeeded"
  ],
  "description": "My PI succeeded webhook",
  "url": "https://myPlaceToReceiveWebhhoks.com/thanks",
  "status": "enabled"
  "metadata": {
    "remember_this": "something"
  }
}'

enabledEvents

It is possible to subscribe to one or more event types or * to get all events.

See the full list of possible event types in the API documentation: REST API doc create webhook

Create a webhook

POST/pos/v1/webhooks

Authorization

Header parameters

Body

enabledEvents*array of string

The list of events to enable for this endpoint. You may specify [’*’] to enable all events, except those that require explicit selection.

descriptionstring

Add a small description to your webhook

metadataall of

Set of key-value pairs that you can attach to an object. This can be useful for storing additional information about the object in a structured format. Individual keys can be unset by posting an empty value to them. All keys can be unset by posting an empty value to metadata.

url*string

The URL of the webhook endpoint.

status*string

Enables or Disables the webhook

Response

Body

id*string

Unique webhook id defined by Vibrant

object*string

Object type

accountId*string

account id of your account

apiVersion*string

Api version of this webhook

created*number

UnixtimeStamp when the webhook was created

updated*number

UnixtimeStamp when the webhook was updated

description*string

Custom description added to the webhook

enabledEvents*array of string

Events enabled for this webhook: balance.available,card_transaction.created,card_transaction.updated,charge.created,charge.failed,charge.pending,charge.refunded,charge.refund.updated,charge.succeeded,charge.updated,file.created,file.deleted,file.updated,location.created,location.deleted,location.updated,order.created,order.deleted,order.updated,payment_intent.canceled,payment_intent.created,payment_intent.payment_failed,payment_intent.processing,payment_intent.requires_action,payment_intent.requires_confirmation,payment_intent.requires_payment_method,payment_intent.succeeded,payout.canceled,payout.created,payout.failed,payout.paid,payout.updated,product.created,product.deleted,product.updated,refund.canceled,refund.created,refund.failed,refund.processing,refund.requires_confirmation,refund.requires_payment_method,refund.succeeded,spot.created,spot.deleted,spot.updated,terminal.action_canceled,terminal.action_failed,terminal.action_in_progress,terminal.action_succeeded,terminal.created,terminal.updated,trxn.created,user.created,user.deleted,user.updated,webhook.created,webhook.updated

status*string

Events enabled for this webhook

url*string

The url this webhooks should POST against

secret*string

NOT IMPLEMENTED YET - this secret should be used to validate the request Vibrant will be sending you

metadataobject

All custom values in here

Request

const response = await fetch('/pos/v1/webhooks', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: JSON.stringify({
      "enabledEvents": [
        "text"
      ],
      "url": "https://myPlaceToReceiveWebhhoks.com/thanks",
      "status": "enabled"
    }),
});
const data = await response.json();

Response

{
  "id": "we_wR7yMtTjefcSQjtgngVNkp",
  "object": "webhook",
  "accountId": "acct_wx7yMtTjefcSQjtgngVNkp",
  "apiVersion": "v1",
  "created": 1671087901251,
  "updated": 1671087901251,
  "description": "Custom descirption added",
  "enabledEvents": [
    "text"
  ],
  "status": "enabled",
  "url": "enabled",
  "secret": "234lkjsdklfjkjfSDFSDFKSDJFSDKSSSQ#€€%%%#"
}

url

The endpoint to which the events will be posted.

metadata

If desired it is possible to add some meta data to the webhook that can be retrieved again when getting the webhook object. The meta data will not be attached to the events.

status

Here it is possible to enable or disable the webhook.

Webhook event verification

Each webhook created in Vibrant holds a secret key.

This can be used to verify that the events posted to your webhook url is actually coming from Vibrant.

The secret key can be used to calculate an expected hash from a received message, to validate that the message in fact is from Vibrant and to this unique webhook.

How to verify messages:

Messages to a webhook hold a header named Vibrant-Signature.

The signature holds a timestamp and a hash, with comma in between.

t=1652744532,v0=1327f867e7efdzecb36ahfg46cgfs4fa51cad7e57f5g59pf736d6ce8f406d3fv

Follow these three steps to verify the Vibrant signature.

Create a string combining the value of timestamp t then a . and then the message body.
Compute a HMAC with the SHA256 hash function. Use the endpoint’s secret key as the key, and use the string from step 1. as the message.
Compare the Vibrant signature v0 from the header to the expected signature from step 2. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.

The timestamp is used to prevent replay attacks resending a valid message to your endpoint. So you can check if the timestamp is too old.

Webhook Retrial behaviour

Upon the registration of the webhook, Vibrant will initiate delivery attempts for the selected events specified during the webhook creation process. In the event of a delivery failure, Vibrant will engage in a series of retransmission attempts employing an exponential backoff strategy, initially prioritizing expedited delivery followed by subsequent attempts spread over a maximum period of 31 days.

Webhooks best practices

These are some of the practices recommended by Vibrant for a smooth webhook integration.

Acknowledgement of the webhooks

Upon receipt of a webhook from our system, it is imperative that the customer endpoint service promptly acknowledges receipt by sending a HTTP 200 OK response. This response serves as confirmation that the webhook payload has been successfully received and acknowledged by the third-party system. Failure to promptly respond with a 200 status code will result in unintended consequences, such as repeated delivery attempts.

PreviousTerminal actions NextPayouts

Last updated 3 months ago