Skip to main content

Getting Started

This guide will walk you through setting up and securely handling webhooks. Our implementation follows the Standard Webhooks specification. Your webhook setup is simple: just define the URL where you want to receive event data. You’ll find the Webhook Payloads for payment collections and accounts i.e spotflow wallets and dynamic accounts here. Follow these steps to set up your webhook:
  1. Access Webhook Settings: Navigate to the Spotflow Dashboard and go to Settings > API Keys.
  2. Define your URL: Enter the URL where you want to receive webhook events. You can typically find a dedicated field here for your Webhook URL.
  3. Save Changes: Ensure you enter your one time code from your Authenticator app and save the settings to activate the webhook URL.
Idempotency (The “No Duplicates” Rule): Each webhook event includes a unique webhook-id header. Use this identifier to implement idempotency. Your system must be designed to gracefully handle receiving the same event more than once (due to retries) without causing errors or duplicate actions.

Securing Webhooks: Trust, but Verify

To protect your system from bad actors and ensure the data is authentically from Spotflow, always validate the payload and use HTTPS. To verify signatures, we follow the Standard Webhooks specification. Each webhook request includes a webhook-signature header from us which is x-spotflow-signature, an HMAC SHA256 signature of the payload and timestamp.
Ordering is Not Guaranteed: Webhook events may be delivered out of order due to network retries. Always use the webhook-id or other data within the payload to ensure correct event processing, regardless of arrival sequence.
You will always receive the latest payload data at the time of delivery, regardless of when the webhook event was initially emitted.