Skip to main content
Webhooks are enabled by Anchorage Digital upon request. Notify your integration point of contact to enable webhooks for your organization.

Managing webhooks from the dashboard

Step-by-step instructions and screenshots for creating and managing webhooks in the web dashboard are coming soon.
For payload schema, signature validation, and code samples for a programmatic setup, see the API instructions below.

Subscribing to webhooks via API

API permission group configuration

Update your permission group to include the global permission Configure webhooks. Either create a new permission group or edit an existing one. See Permission Groups for instructions.

Webhook validation key

The webhook validation key is a hex-encoded Ed25519 public key used to verify the Api-Signature header on incoming notifications. Retrieve it via the API and keep this value tamper-proof. The API returns the key as a hex string (64 characters representing 32 bytes). This is the same format used in the code samples below.

Idempotency with message_id

Each message includes a message_id — treat it as an idempotent ID to detect duplicate deliveries. Also use timestamp to validate event freshness. For details on retry behavior, timeout requirements, and best practices, see Delivery and reliability.

Webhook schema

Schema

Create a webhook endpoint

List available event types

List the full set of event types configured for your organization before creating subscriptions.
Example response

Create webhook subscriptions

Subscribe an endpoint to one or more event types. A notification is sent to all subscribed endpoints each time the event fires.

Validate the signature and decode the payload

Every webhook request includes an Api-Signature header containing a hex-encoded Ed25519 signature. The signature is computed over the raw HTTP request body exactly as received — no timestamp prefix, no additional framing. To verify:
  1. Hex-decode the Api-Signature header value to get the raw signature bytes.
  2. Verify the signature against the raw request body using the Ed25519 validation key.
  3. Base64-decode the payload field inside the JSON body to get the event data.

Payload encryption (optional)

By default, webhook payloads are sent as plaintext JSON signed with the Api-Signature header. For an additional layer of security, you can enable ECIES payload encryption by registering a secp256k1 public key with your endpoint.

How it works

When you register an endpoint with a public_key, Anchorage Digital encrypts the entire webhook payload using ECIES (Elliptic Curve Integrated Encryption Scheme) with your secp256k1 public key before delivery. The encrypted request differs from a standard webhook in two ways: To process an encrypted webhook:
  1. Verify the Api-Signature against the raw request body (the ciphertext).
  2. Decrypt the body using your secp256k1 private key to recover the JSON WebhookMessage.
  3. Base64-decode the payload field inside the decrypted JSON.

Key format

The public_key field must be a PEM-encoded secp256k1 public key. This is different from the validation key, which is returned as a hex-encoded Ed25519 key. To enable encryption, include the public_key field when creating or updating your webhook endpoint. To disable encryption, remove the public_key from the endpoint configuration.

Manage endpoints and subscriptions

Once configured, update or cancel webhook endpoints and subscriptions as needed.

Additional resources