Webhooks are a form of server-to-server communication which send notifications as soon as specific events occur. By subscribing to webhooks, you can reduce the number of API calls that your solution makes and build your solution to react to important events in real time.
This guide explains how to subscribe to webhooks and contains an explanation and sample payload for each webhook event.
Make sure you have the following:
- A service URL (HTTPS) exposed on your server to receive POST requests.
- Your API credentials to create the subscription.
Please note that webhooks are intended for informational purposes only. Your solution's business logic should not directly use the contents of the webhook payload (with the exception of seizure-related webhooks). Please use the Solaris API's GET endpoints to retrieve information about resources for your business logic.
First, your solution must expose a URL (HTTPS) where Solaris can send webhook notifications.
Then, for each event type you wish to subscribe to, you must call the POST Create a webhook subscription method. Supply the following in the request:
event_type: The type of webhook event to subscribe to.url: The URL to which Solaris will send the webhook notification.
When you register a new webhook subscription, the Solaris API will check the availability of the provided URL by sending a single POST notification. The notification does not include a body, but it includes the SOLARIS-WEBHOOK-EVENT-TYPE header with a value of WEBHOOK-SUBSCRIPTION.
If your URL returns a 2XX HTTP response code, then the Solaris API will create the webhook subscription and return you a 201 Created response. In the response body, you will find the secret property. You must use the value of this property to verify the authenticity of Solaris webhook notifications. The API only exposes this secret once, so if you misplace it, then you must register a new webhook subscription.
Once a webhook subscription has been created, it cannot be modified. You must delete the webhook subscription and register a new one with the desired updated properties.
Implement the following HTTP response codes for the URL where your solution will receive webhook notifications:
| Response Code | Reaction |
|---|---|
2xx - Success | Solaris' webhook service assumes that the notification was successfully delivered. |
410 - Gone | Solaris' webhook service marks the notification delivery as rejected and cancels the subscription on this particular URL. |
422 - Unprocessable Entity | The delivery is marked as rejected, and Solaris' webhook service will not re-attempt to deliver the notification. |
Solaris expects a response from your server within 30 seconds.
If your business logic takes longer than 30 seconds to process a webhook, the delivery will fail and enter the retry loop.
Best Practice: We recommend that your server immediately returns a 2xx status code to acknowledge receipt, and then processes the business logic asynchronously (e.g., using a background job queue).
If the delivery fails or times out, the notification enters a retry loop using an exponential backoff strategy:
- Timeout: 30 seconds
- Maximum attempts: 25
- Initial interval: 5 seconds
- Backoff rate: 1.561
With the exponential backoff configuration above (interval increasing by a factor of 1.561 after every attempt), Solaris will attempt to deliver the message for approximately 5 days before the message expires.
A webhook notification consists of two parts:
- Metadata: Information stored in the HTTP header. This could be information related to the webhook subscription itself (consistent across all webhook types) or it could include IDs of entities (e.g., person IDs) related to the webhook event that caused the notification.
- Payload: Information stored in the HTTP body. This usually contains all of the properties of the resource related to the webhook event that caused the notification.
Each webhook notification will contain the following headers:
- Content-Type: The media type of the webhook notification content.
- Solaris-Webhook-Id: ID of the webhook itself.
- Solaris-Webhook-Subscription-Id: ID of the subscription you created for the webhook event.
- Solaris-Webhook-Event-Type: The event type of the webhook notification. See the section below for a full list.
- Solaris-Entity-Id: ID of the Solaris entity related to the webhook notification. For example, in a PERSON_DELETED webhook notification, this header would contain the ID of a person whose data you must delete.
- Solaris-Webhook-Attempt: Indicates the number of times Solaris has attempted to deliver the webhook notification.
- Solaris-Webhook-Signature: SHA256 signature that you must use to verify the authenticity of the webhook. See the next section for more information.
- Solaris-Webhook-Callout-Timestamp: UTC timestamp from when the webhook notification was sent.
- User-Agent: Indicates the user agent that generated the webhook notification on Solaris' side.
Solaris provides a signature hash in each webhook notification as the value of the Solaris-Webhook-Signature header. This allows you to verify that the notification really came from Solaris and protect against misuse of your webhook URL.
The header value is prefixed with the hashing algorithm (for example, sha256=).
The webhook service generates the signature using the HMAC algorithm. It uses the secret from the webhook subscription as the HMAC key to encrypt the payload, and it encodes the digest used for the signature generation in the header. The Solaris-Webhook-Subscription-Id header references the relevant secret for calculating the signature.
We recommend that you use the raw message payload to generate a signature hash to verify the one received in the header. This ensures your implementation will not break in case additional fields are introduced. Moreover, calculating on the raw message will ensure that parsing errors do not compromise your ability to verify the authenticity of your webhook traffic.
Here is a Ruby example of how to validate a message by its signature:
digest_algorithm, signature = request.env['HTTP_SOLARIS_WEBHOOK_SIGNATURE'].split('=')
content = request.body.read
# 1. Verify the signature
if OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new(digest_algorithm), secret, content) != signature
halt(422, 'Signature not correct')
end
# 2. Signature valid. Enqueue background job to process data asynchronously.
# (Do not process heavy logic here to avoid the 30s timeout)
BackgroundJob.enqueue(content)
# 3. Acknowledge receipt immediately
status 200You are required to subscribe to specific webhook events for compliance purposes.
View mandatory compliance webhooks
Beyond compliance requirements, different products require different webhook subscriptions in order to function well. Check the respective product feature guide to learn about which webhooks a particular product requires.
Click the links below to see the full payload information for each webhook event.
View all available webhook events
- ACCOUNT_BLOCK
- ACCOUNT_CLOSURE
- ACCOUNT_CLOSURE_REQUEST
- ACCOUNT_LIMIT_CHANGE
- ACCOUNT_OPENING_REQUEST
- ACCOUNT_SNAPSHOT
- ACQUIRER_TOPUP_DECLINED
- ACQUIRER_TOPUP_EXECUTED
- ACQUIRER_TOPUP_PAYMENT_FAILED
- BENEFICIAL_OWNER
- BOOKING
- BUSINESS_CHANGED
- BUSINESS_DELETED
- BUSINESS_DIRECT_DEBIT_PROFILE_BLOCK_CANCELLED
- BUSINESS_DIRECT_DEBIT_PROFILE_BLOCK_SCHEDULED
- BUSINESS_FRONTING_APPLICATION
- BUSINESS_FRONTING_LOAN_PAYOUT
- BUSINESS_FRONTING_PAYOUT_UPDATE
- BUSINESS_FRONTING_RELATIONSHIP_STATUS_CHANGED
- BUSINESS_IDENTIFICATION
- BUSINESS_SEIZURE_CREATED
- BUSINESS_SEIZURE_DELETED
- BUSINESS_SEIZURE_FULFILLED
- BUSINESS_SEIZURE_UPDATED
- BUSINESS_TAX_IDENTIFICATION_CHANGED
- CARD_AUTHORIZATION
- CARD_AUTHORIZATION_DECLINE - LEGACY
- CARD_AUTHORIZATION_DECLINE_V2
- CARD_AUTHORIZATION_RESOLUTION
- CARD_DELIVERY_TRACKING
- CARD_FRAUD_CASE_PENDING
- CARD_FRAUD_CASE_TIMEOUT
- CARD_LIFECYCLE_EVENT
- CARD_TOKEN_LIFECYCLE
- CASH_OPERATION_STATUS_CHANGED
- CONSUMER_FRONTING_APPLICATION
- CONSUMER_LOAN_APPLICATION
- CONSUMER_OVERDRAFT
- CONSUMER_OVERDRAFT_APPLICATION
- CONSUMER_OVERDRAFT_INTEREST_RATE_CHANGE
- CREDIT_CARD_APPLICATION
- CREDIT_LINE
- DELEGATE_SCA_CANCEL
- FREELANCER_CREDIT_LINE_APPLICATION
- FREELANCER_OVERDRAFT_INTEREST_RATE_CHANGE
- IDENTIFICATION
- IDENTIFICATION_ORIGINATION
- IDENTIFICATION_SESSION
- INCOMING_REJECTED_TRANSACTION
- INSTANT_SEPA_CREDIT_TRANSFER_EXECUTED
- INSTANT_SEPA_CREDIT_TRANSFER_FAILED
- LEGAL_REPRESENTATIVE
- LOAN
- OVERDRAFT
- OVERDRAFT_APPLICATION
- OVERDRAFT_LIMIT_CHANGE
- PERSON_CHANGED
- PERSON_DELETED
- PERSON_MOBILE_NUMBER_CREATED
- PERSON_MOBILE_NUMBER_DELETED
- PERSON_SEIZURE_CREATED
- PERSON_SEIZURE_DELETED
- PERSON_SEIZURE_FULFILLED
- PERSON_SEIZURE_UPDATED
- PERSON_TAX_IDENTIFICATION_CHANGED
- POTENTIAL_ACCOUNT_BLOCKING
- POSTBOX_ITEM_CREATED
- QUESTIONS_REQUIRE_RESPONSE
- REFERENCE_ACCOUNT_CREATED
- REFERENCE_ACCOUNT_INSTANT_PAYOUT_DECLINED
- REFERENCE_ACCOUNT_INSTANT_PAYOUT_EXECUTED
- RESERVATION_CREATED
- RESERVATION_RESOLVED
- SCA_CHALLENGE
- SEPA_CREDIT_TRANSACTION_DECLINED
- SEPA_DIRECT_DEBIT_RETURN
- SEPA_SCHEDULED_TRANSACTION
- SEPA_STANDING_ORDER
- SEPA_TIMED_ORDER
- TRUSTED_IBAN_CONFIRMED
- SCHEDULED_TRANSFER_STATUS_CHANGED