> ## Documentation Index
> Fetch the complete documentation index at: https://docs.qonto.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Setup and supported events

> To be notified of events happening during the onboarding flow, you can subscribe to webhooks.

## Setup

### Registering a webhook endpoint

You can accomplish that with the `POST /data_api/webhooks` endpoint.

In the payload you will need to provide:

* `callback_url`: the URL that the events we'll be POST'ed to
* `secret`: the secret to use when generating a HMAC-SHA256 signature to sign the payload

### Verifying webhook event with Qonto-SHA256-Signature

In order to verify that a webhook is coming from Qonto, you may compute the HMAC-SHA256 signature
of the payload and compare it with the `Qonto-SHA256-Signature` header.

The `secret_key` below in the examples is the one configured in your created webhook subscription.

Sample code:

```ruby theme={null}
require 'openssl'
require 'json'

response_body_string = JSON.generate(
  {
    "id": "75341dcb-0376-474d-97d7-d2c03ff3973c",
    "event_type": "registrations.pending",
    "resource_type": "registration",
    "resource_id": "525817f7-93e8-4f31-a83d-20319778b4b0",
    "created_at": "2022-08-29T13:17:32Z"
  }
)

OpenSSL::HMAC.hexdigest("SHA256", "secret_key", response_body_string)
# => b0d249e653f1310fa5b7f26d5682548afa1799353b92fcafd4cacbd90312023e
```

```python theme={null}
import hashlib
import hmac
import json

response_body_string = json.dumps(
  {
    "id": "75341dcb-0376-474d-97d7-d2c03ff3973c",
    "event_type": "registrations.pending",
    "resource_type": "registration",
    "resource_id": "525817f7-93e8-4f31-a83d-20319778b4b0",
    "created_at": "2022-08-29T13:17:32Z"
  },
  separators=(',', ':')
)

hmac.new(
    key="secret_key".encode('utf-8'),
    msg=response_body_string.encode('utf-8'),
    digestmod=hashlib.sha256
).hexdigest()
# => b0d249e653f1310fa5b7f26d5682548afa1799353b92fcafd4cacbd90312023e
```

### Retries

Qonto employs an exponential backoff strategy, retrying webhook delivery approximately 10 times over 2 days. If delivery fails within this period, the webhook is discarded.

Due to the retry mechanism, you may receive an older event after a newer one, so ensure your system handles this by checking the `event_type` to manage the event lifecycle properly.

***

## Supported events

The events that are published depend on the flow in which the user is onboarded (company creation or existing company case).

### Registration events

Those events will be fired during either flows (company creation / existing company) for the register:

* `registrations.pending`: a new registration is created, and is now in `pending` status
* `registrations.user_started`: user started the onboarding flow (login created or existing user logged in)
* `registrations.contract_signed`: contract is signed = user has successfully processed payment
* `registrations.completed`: Kbis was uploaded in Qonto & KYB is done. User now has an active bank account to use
* `organizations.deleted`: an organization was deleted because the associated registration was reset in Qonto (only for company creation flow)

### Company  Creation / Capital Deposit events

Those events will be fired when the user will actually start and proceed for their capital deposit (after `registrations.contract_signed` and before `registrations.completed`).
Events depends on the legal country of the company being created:

#### French Company Creation events

* `registrations.submitted`: registration is submitted = user is in the main app and ready to start capital deposit process
* `registrations.capital_deposit_activated`: capital deposit is in progress (email was sent to shareholders to pay their shares and Qonto is waiting to receive the full capital deposit)
* `registrations.capital_deposit_request_signed`: shareholders have all paid their shares, have reviewed the documentation to be sent to the notary, notary is preparing the certificate
* `registrations.capital_deposit_certificate_signed`: deposit certificate is signed by the notary, sent to the user and available through API

#### German Company Creation events

* `registrations.capital_deposit_statement_ready`: capital deposit statement is available through API

<Info>
  Whenever receiving a webhook event, the request body will not include the registration object.
  <br />If you need further information, you can fetch again the registration.
</Info>

<Warning>
  You will receive webhook events only for registrations with `seamless` flow type, since only these users will be onboarded through the fast track flow.
</Warning>