Webhooks

Introduction

Webhooks are a form of server-to-server communication which send notifications as soon as specific events occur. By subscribing to webhooks, you can reduce the number of API calls that your solution makes and build your solution to react to important events in real time.

This guide explains how to subscribe to webhooks and contains an explanation and sample payload for each webhook event.

How to subscribe to a webhook

First, your solution must expose a URL (HTTPS) where Solaris can send webhook notifications.

Then, for each event type you wish to subscribe to, you must call the POST Create a webhook subscription method. Supply the following in the request:

• event_type: The type of webhook event to subscribe to.
• url: The URL to which Solaris will send the webhook notification.

When you register a new webhook subscription, the Solaris API will check the availability of the provided URL by sending a single POST notification. The notification does not include a body, but it includes the SOLARIS-WEBHOOK-EVENT-TYPE header with a value of WEBHOOK-SUBSCRIPTION.

If your URL returns a 2XX HTTP response code, then the Solaris API will create the webhook subscription and return you a 201 Created response. In the response body, you will find the secret property. You must use the value of this property to verify the authenticity of Solaris webhook notifications. The API only exposes this secret once, so if you misplace it, then you must register a new webhook subscription.

How to update a webhook subscription

Once a webhook subscription has been created, it cannot be modified. You must delete the webhook subscription and register a new one with the desired updated properties.

Webhook notification delivery

Implement the following HTTP response codes for the URL where your solution will receive webhook notifications:

Any response code not listed above will place the webhook notification into a retry loop. The Solaris webhook service keeps track of the number of retries using a header; with each failed delivery, it will increase the count. After 20 unsuccessful retries over a period of seven days, the message will automatically expire.

Notification content

A webhook notification consists of two parts:

• Metadata: Information stored in the HTTP header. This could be information related to the webhook subscription itself (consistent across all webhook types) or it could include IDs of entities (e.g., person IDs) related to the webhook event that caused the notification.
• Payload: Information stored in the HTTP body. This usually contains all of the properties of the resource related to the webhook event that caused the notification.

Full list of webhook headers

Each webhook notification will contain the following headers:

• Content-Type: The media type of the webhook notification content.
• Solaris-Webhook-Id: ID of the webhook itself.
• Solaris-Webhook-Subscription-Id: ID of the subscription you created for the webhook event.
• Solaris-Webhook-Event-Type: The event type of the webhook notification. See the section below for a full list.
• Solaris-Entity-Id: ID of the Solaris entity related to the webhook notification. For example, in a PERSON_DELETED webhook notification, this header would contain the ID of a person whose data you must delete.
• Solaris-Webhook-Attempt: Indicates the number of times Solaris has attempted to deliver the webhook notification.
• Solaris-Webhook-Signature: SHA256 signature that you must use to verify the authenticity of the webhook. See the next section for more information.
• Solaris-Webhook-Callout-Timestamp: UTC timestamp from when the webhook notification was sent.
• User-Agent: Indicates the user agent that generated the webhook notification on Solaris' side.

Content verification

Solaris provides a signature hash in each webhook notification as the value of the Solaris-Webhook-Signature header. This allows you to verify that the notification really came from Solaris and protect against misuse of your webhook URL.

The webhook service generates the signature using the HMAC algorithm. It uses the secret from the webhook subscription as the HMAC key to encrypt the payload, and it encodes the digest used for the signature generation in the header. The Solaris-Webhook-Subscription-Id header references the relevant secret for calculating the signature.

We recommend that you use the raw message payload to generate a signature hash to verify the one received in the header. This ensures your implementation will not break in case additional fields are introduced. Moreover, calculating on the raw message will ensure that parsing errors do not compromise your ability to verify the authenticity of your webhook traffic.

Here is a Ruby example of how to validate a message by its signature:

digest_algorithm, signature = request.env['HTTP_SOLARIS_WEBHOOK_SIGNATURE'].split('=')
content = request.body.read

if OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new(digest_algorithm), secret, content) != signature
  halt(422, 'Signature not correct')
end

# process notification

Mandatory webhook events

You are required to subscribe to the following webhook events for compliance purposes:

• ACCOUNT_CLOSURE_REQUEST
• BUSINESS_DELETED
• BUSINESS_SEIZURE_CREATED
• BUSINESS_SEIZURE_DELETED
• BUSINESS_SEIZURE_FULFILLED
• BUSINESS_SEIZURE_UPDATED
• PERSON_DELETED
• PERSON_SEIZURE_CREATED
• PERSON_SEIZURE_DELETED
• PERSON_SEIZURE_FULFILLED
• PERSON_SEIZURE_UPDATED
• POSTBOX_ITEM_CREATED

Beyond compliance requirements, different products require different webhook subscriptions in order to function well. Check the respective product feature guide to learn about which webhooks a particular product requires.

Full list of webhook events

Click the links below to see the full payload information for each webhook event:

• ACCOUNT_BLOCK
• ACCOUNT_CLOSURE
• ACCOUNT_CLOSURE_REQUEST
• ACCOUNT_LIMIT_CHANGE
• ACCOUNT_OPENING_REQUEST
• ACCOUNT_SNAPSHOT
• ACQUIRER_TOPUP_DECLINED
• ACQUIRER_TOPUP_EXECUTED
• ACQUIRER_TOPUP_PAYMENT_FAILED
• BENEFICIAL_OWNER
• BOOKING
• BUSINESS_CHANGED
• BUSINESS_DELETED
• BUSINESS_DIRECT_DEBIT_PROFILE_BLOCK_CANCELLED
• BUSINESS_DIRECT_DEBIT_PROFILE_BLOCK_SCHEDULED
• BUSINESS_FRONTING_APPLICATION
• BUSINESS_FRONTING_LOAN_PAYOUT
• BUSINESS_FRONTING_PAYOUT_UPDATE
• BUSINESS_FRONTING_RELATIONSHIP_STATUS_CHANGED
• BUSINESS_IDENTIFICATION
• BUSINESS_SEIZURE_CREATED
• BUSINESS_SEIZURE_DELETED
• BUSINESS_SEIZURE_FULFILLED
• BUSINESS_SEIZURE_UPDATED
• BUSINESS_TAX_IDENTIFICATION_CHANGED
• CARD_AUTHORIZATION
• CARD_AUTHORIZATION_DECLINE - LEGACY
• CARD_AUTHORIZATION_DECLINE_V2
• CARD_AUTHORIZATION_RESOLUTION
• CARD_FRAUD_CASE_PENDING
• CARD_FRAUD_CASE_TIMEOUT
• CARD_LIFECYCLE_EVENT
• CARD_TOKEN_LIFECYCLE
• CASH_OPERATION_STATUS_CHANGED
• CONSUMER_FRONTING_APPLICATION
• CONSUMER_LOAN_APPLICATION
• CONSUMER_OVERDRAFT
• CONSUMER_OVERDRAFT_APPLICATION
• CREDIT_CARD_APPLICATION
• CREDIT_LINE
• DELEGATE_SCA_CANCEL
• FREELANCER_CREDIT_LINE_APPLICATION
• IDENTIFICATION
• IDENTIFICATION_ORIGINATION
• IDENTIFICATION_SESSION
• INCOMING_REJECTED_TRANSACTION
• INSTANT_SEPA_CREDIT_TRANSFER_EXECUTED
• INSTANT_SEPA_CREDIT_TRANSFER_FAILED
• LEGAL_REPRESENTATIVE
• LOAN
• OVERDRAFT
• OVERDRAFT_APPLICATION
• OVERDRAFT_LIMIT_CHANGE
• PERSON_CHANGED
• PERSON_DELETED
• PERSON_MOBILE_NUMBER_CREATED
• PERSON_MOBILE_NUMBER_DELETED
• PERSON_SEIZURE_CREATED
• PERSON_SEIZURE_DELETED
• PERSON_SEIZURE_FULFILLED
• PERSON_SEIZURE_UPDATED
• PERSON_TAX_IDENTIFICATION_CHANGED
• POTENTIAL_ACCOUNT_BLOCKING
• POSTBOX_ITEM_CREATED
• QUESTIONS_REQUIRE_RESPONSE
• REFERENCE_ACCOUNT_CREATED
• REFERENCE_ACCOUNT_INSTANT_PAYOUT_DECLINED
• REFERENCE_ACCOUNT_INSTANT_PAYOUT_EXECUTED
• REPAYMENT_PLAN
• RESERVATION_CREATED
• RESERVATION_RESOLVED
• SCA_CHALLENGE
• SEPA_CREDIT_TRANSACTION_DECLINED
• SEPA_DIRECT_DEBIT_RETURN
• SEPA_SCHEDULED_TRANSACTION
• SEPA_STANDING_ORDER
• SEPA_TIMED_ORDER