> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anchorage.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook testing

> Step-by-step guide to testing webhooks in the Anchorage Digital sandbox environment.

<Steps>
  <Step title="Create your webhook endpoint">
    Either create your own endpoint or use the [Svix playground](https://www.svix.com/play/) for rapid testing.

    Once you have an endpoint, register it via API or the web dashboard:

    * **API:** [Create a webhook endpoint](/knowledge-base/api-reference/v2/webhook-notifications/create-webhook-endpoint) — use the `url` field to register the endpoint.
    * **Web dashboard:** [Create webhooks](https://clientdashboard.anchorage-staging.com/webhooks/)
  </Step>

  <Step title="List available events and subscribe">
    * **API:** [List webhook event types](/knowledge-base/api-reference/v2/webhook-notifications/list-webhook-event-types)
    * **API:** [Create webhook subscriptions](/knowledge-base/api-reference/v2/webhook-notifications/create-webhook-subscriptions) — use the `endpointId` to subscribe to any or all event types.
    * **Web dashboard:** [Select events](https://clientdashboard.anchorage-staging.com/webhooks/)
  </Step>

  <Step title="Get validation key">
    The validation key is used to verify that webhook messages originate from Anchorage Digital. Find it on the web dashboard or via API.

    **Sandbox validation key:**

    ```text theme={null}
    c14b7f3da18abb17b7304f925a68b18c1ea0dad6663b6b54cb67a737ecb77cd0
    ```

    * **API:** [Get webhook validation key](/knowledge-base/api-reference/v2/webhook-notifications/get-webhook-validation-key)
  </Step>

  <Step title="Trigger an event">
    To test in sandbox, send testnet assets to a wallet, or attempt a withdrawal or transfer via API or the iOS app.

    For a deposit event:

    1. Generate a new wallet address for BTC Signet (`BTC_S`) via Postman or the API reference.
    2. Use the [BTC Signet Faucet](https://signetfaucet.com/) to send testnet BTC to that address.
  </Step>

  <Step title="Receive the webhook message">
    Once the event fires, your endpoint will receive a message like the following:

    <CodeGroup>
      ```json Deposit theme={null}
      {
        "payload": "eyJ0cmFuc2FjdGlvbklkIjoiNjE4Y2JkNTVlNzE2ZmFlMGVkODNjYTcyOWM4MDI2NmEifQ==",
        "timestamp": 1729112450,
        "message_id": "aa2dbc06-1665-44c0-bb8e-d2b0ad15a564",
        "event_type": "deposit.pending-attribution"
      }
      ```

      ```json KYC completed theme={null}
      {
        "payload": "eyJjdXN0b21lcklkIjoiZmJmMzYwOTlkZTMzNmQwMzkyODU0ZmQ5ZTY4NjQxMDcyMjFkYmRhMzBhOWQ1ZWQ4YWI1NWE4ZmZmNTU2NWY3MSIsImFwcGxpY2F0aW9uVHlwZSI6IlJJQV9QQ19JTlNUSVRVVElPTiJ9",
        "timestamp": 1729621585,
        "message_id": "0b136ab6-f837-4de4-9cd8-f8c3c122f443",
        "event_type": "program-customer-onboard.completed"
      }
      ```
    </CodeGroup>
  </Step>

  <Step title="Validate the message signature">
    Verify the webhook message is from Anchorage Digital using the validation key and the API signature header.

    You can validate manually or use an open-source tool:

    [Ed25519 signature tool](https://cyphr.me/ed25519_tool/ed.html)

    The `Api-Signature` header is hex-encoded. Decode it to raw bytes before verifying.

    | Field              | Value                                  |
    | :----------------- | :------------------------------------- |
    | Message encoding   | Text (UTF-8)                           |
    | Message            | Paste the raw request body             |
    | Key encoding       | Hex                                    |
    | Seed (private key) | Leave blank                            |
    | Public key         | Validation key                         |
    | Signature encoding | Hex                                    |
    | Signature          | Paste the `Api-Signature` header value |
  </Step>

  <Step title="Decode the payload">
    The `payload` field in the response body is Base64-encoded. Decode it to retrieve the event data.

    Use a [Base64 decode tool](https://www.base64decode.org/) — paste the `payload` value into the decode input.
  </Step>

  <Step title="Fetch additional details with the transaction ID">
    Use the decoded `transactionId` (or `customerId` for KYC events) to fetch full details from the API:

    * [List transactions](/knowledge-base/api-reference/v2/transactions/list-transactions)
    * *(RIA only)* [Get KYC onboarding status](/knowledge-base/api-reference/v2/onboarding/retrieve-uploaded-data-and-status-of-customer-onboarding)
  </Step>
</Steps>
