Registering to a webhook event type
You can register to a webhook event type, by calling thePOST /v2/webhook_subscriptions endpoint.
By doing so, Qonto will call your callback_url each time there is a new event of the type you registered to.
In order to avoid having your server being overloaded with too many requests, we recommend you to register to only relevant events for your use case.
Callback URL
Yourcallback_url must be publicly accessible and will have to acknoledge the webhook with a 2xx HTTP code.
Qonto will wait for your server to acknowledge the webhook for a maximum of 1 second.
In order to reduce your response time and avoid receiving webhook multiple times, we advise you to store the webhook in a queue system and process it asynchronously.
callback_url will be called with a POST request containing a X-Qonto-Signature header.
This header contains the HMAC-SHA256 signature of the payload, which you can use to verify that the webhook is coming from Qonto.
The signature header follows the format t={timestamp},v1={signature}.
Verification steps:
- Extract the timestamp and signature from the signature header
- Recreate the signed payload:
{timestamp}.{raw_request_body} - Compute HMAC-SHA256 of the signed payload using your webhook secret as the key
- Compare the computed signature with the one in the header
- Payload received:
{"test":"data"} X-Qonto-Signatureheader:t=1704110400,v1=56aff06dc227db80d6568a5070f912c601c31f20451745d257cbc0b5dfa93805- Secret:
test-secret