Webhooks are enabled by Anchorage Digital upon request. Notify your integration point of contact to enable webhooks for your organization.
Managing webhooks from the dashboard
Step-by-step instructions and screenshots for creating and managing webhooks in the web dashboard are coming soon.
Subscribing to webhooks via API
API permission group configuration
Update your permission group to include the global permission Configure webhooks. Either create a new permission group or edit an existing one. See Permission Groups for instructions.Webhook validation key
The webhook validation key is a hex-encoded Ed25519 public key used to verify theApi-Signature header on incoming notifications. Retrieve it via the API and keep this value tamper-proof.
The API returns the key as a hex string (64 characters representing 32 bytes). This is the same format used in the code samples below.
Idempotency with message_id
Each message includes a message_id — treat it as an idempotent ID to detect duplicate deliveries. Also use timestamp to validate event freshness. For details on retry behavior, timeout requirements, and best practices, see Delivery and reliability.
Webhook schema
Schema
Create a webhook endpoint
List available event types
List the full set of event types configured for your organization before creating subscriptions.Example response
Create webhook subscriptions
Subscribe an endpoint to one or more event types. A notification is sent to all subscribed endpoints each time the event fires.Validate the signature and decode the payload
Every webhook request includes anApi-Signature header containing a hex-encoded Ed25519 signature. The signature is computed over the raw HTTP request body exactly as received — no timestamp prefix, no additional framing.
To verify:
- Hex-decode the
Api-Signatureheader value to get the raw signature bytes. - Verify the signature against the raw request body using the Ed25519 validation key.
- Base64-decode the
payloadfield inside the JSON body to get the event data.
Payload encryption (optional)
By default, webhook payloads are sent as plaintext JSON signed with theApi-Signature header. For an additional layer of security, you can enable ECIES payload encryption by registering a secp256k1 public key with your endpoint.
How it works
When you register an endpoint with apublic_key, Anchorage Digital encrypts the entire webhook payload using ECIES (Elliptic Curve Integrated Encryption Scheme) with your secp256k1 public key before delivery. The encrypted request differs from a standard webhook in two ways:
To process an encrypted webhook:
- Verify the
Api-Signatureagainst the raw request body (the ciphertext). - Decrypt the body using your secp256k1 private key to recover the JSON
WebhookMessage. - Base64-decode the
payloadfield inside the decrypted JSON.
Key format
Thepublic_key field must be a PEM-encoded secp256k1 public key. This is different from the validation key, which is returned as a hex-encoded Ed25519 key.
To enable encryption, include the
public_key field when creating or updating your webhook endpoint. To disable encryption, remove the public_key from the endpoint configuration.