# Create a Webhook Create a Webhook to receive webhook events for specified entities (e.g., transfer, merchant) to a URL provided by you. When an enabled event occurs, Finix sends a POST request to this URL with the webhook event payload. {% admonition type="info" %} The response includes a secret_signing_key. Store this value securely. It is used to verify that incoming payloads were sent by Finix. {% /admonition %} Authentication Set authentication.type to control how Finix authenticates requests to your endpoint: - NONE (default) — No authentication header is sent - BASIC — Provide authentication.basic.username and authentication.basic.password - BEARER — Provide authentication.bearer.token To learn how to add webhook authentication, see Creating Authenticated Webhooks. Event Filtering By default, a new Webhook subscribes to a standard set of events. Include enabled_events to override the default set of events and receive only specific entity/type combinations. See Webhook Events for supported entities and event types. Endpoint: POST /webhooks Security: BasicAuth ## Header parameters: - `Finix-Version` (string) Specify the API version of your request. For more details, see Versioning. Example: "2022-02-01" - `Content-Type` (string) The data type being sent in the request body must be application/json. Example: "application/json" ## Response 201 fields (application/json): - `id` (string) The ID of the resource. - `created_at` (string) Timestamp of when the object was created. - `updated_at` (string) Timestamp of when the object was last updated. - `application` (string) ID of the Application the resource was created under. - `authentication` (object) Credentials included in webhook POST requests so your server can confirm each request originated from Finix. To learn about the different authentication methods, see [Managing Webhooks via API](/additional-resources/developers/webhooks/integrating-into-webhooks#managing-webhooks-via-api). - `authentication.type` (string) The type of authentication the Webhook will use: - NONE: No authentication will be used. - BASIC: Basic authentication. - BEARER: OAuth2 Bearer Token. Enum: "NONE", "BASIC", "BEARER" - `enabled` (boolean) Whether the Webhook is enabled. Disabled webhooks will not receive events. - true: Events are sent to the url. - false: Events are not sent to the url. - `enabled_events` (array) A list of webhook events to enable for API entities. There can be only one enabled event object per entity. This list is optional and overrides default webhook events. See [Webhook Events](/additional-resources/developers/webhooks/webhook-events) to learn which events are automatically subscribed at creation. When included in a PUT request, this list replaces all previously configured events. - `enabled_events.entity` (string) The API entity for which you want to receive webhook events. Example: "transfer" - `enabled_events.types` (array) A list of webhook event types you want to receive for the specified entity. See the [Webhook Events](/additional-resources/developers/webhooks/webhook-events) guide to learn which values are accepted for each entity. Example: ["created"] - `is_accepting_events` (boolean) Whether the Webhook is currently accepting events; this field mirrors the enabled field. - `nickname` (string) A human-readable name for the Webhook. - `previous_secret_expires_at` (string,null) The time when the previous secret_signing_key expires. Set when the signing key is rotated; null on initial creation. - `secret_signing_key` (string,null) Use this key to verify the Finix-Signature header on incoming webhook events, confirming the payload came from Finix, was not tampered with, and was sent recently. For details, see [Verifying Webhook Signatures](/additional-resources/developers/webhooks/integrating-into-webhooks#verifying-webhook-signatures-finix-signature). - `url` (string) The HTTP or HTTPS URL to receive events. When an event occurs, Finix sends a POST request to this URL with the webhook event payload. - `_links` (object) For your convenience, every response includes several URLs which link to resources relevant to the request. You can use these _links to make your follow-up requests and quickly access relevant IDs. - `_links.application` (object) Link to the Application the request was made under. - `_links.application.href` (string) - `_links.self` (object) Link to the resource that was used in the request. - `_links.self.href` (string) ## Response 400 fields (application/json): - `total` (integer, required) Total number of errors returned. - `_embedded` (object, required) Container for embedded error objects. - `_embedded.errors` (array) List of individual error objects. - `_embedded.errors.code` (string) The error code. The UNKNOWN error code is returned for a 401 Unauthorized or 403 Forbidden request. - `_embedded.errors.logref` (string) A log reference identifier for the error, useful for debugging and support purposes. - `_embedded.errors.message` (string) A human-friendly error message. - `_embedded.errors._links` (object) Links related to this error. - `_embedded.errors._links.self` (object) Link to the resource related to the error. - `_embedded.errors._links.self.href` (string) URL of the related resource. ## Response 401 fields (application/json): - `total` (integer, required) Total number of errors returned. - `_embedded` (object, required) Container for embedded error objects. - `_embedded.errors` (array) List of individual error objects. - `_embedded.errors.code` (string) The error code. The UNKNOWN error code is returned for a 401 Unauthorized or 403 Forbidden request. - `_embedded.errors.logref` (string) A log reference identifier for the error, useful for debugging and support purposes. - `_embedded.errors.message` (string) A human-friendly error message. - `_embedded.errors._links` (object) Links related to this error. - `_embedded.errors._links.self` (object) Link to the resource related to the error. - `_embedded.errors._links.self.href` (string) URL of the related resource. ## Response 403 fields (application/json): - `total` (integer, required) Total number of errors returned. - `_embedded` (object, required) Container for embedded error objects. - `_embedded.errors` (array) List of individual error objects. - `_embedded.errors.code` (string) The error code. The UNKNOWN error code is returned for a 401 Unauthorized or 403 Forbidden request. - `_embedded.errors.logref` (string) A log reference identifier for the error, useful for debugging and support purposes. - `_embedded.errors.message` (string) A human-friendly error message. - `_embedded.errors._links` (object) Links related to this error. - `_embedded.errors._links.self` (object) Link to the resource related to the error. - `_embedded.errors._links.self.href` (string) URL of the related resource. ## Response 406 fields (application/json): - `total` (integer, required) Total number of errors returned. - `_embedded` (object, required) Container for embedded error objects. - `_embedded.errors` (array) List of individual error objects. - `_embedded.errors.code` (string) The error code. The UNKNOWN error code is returned for a 401 Unauthorized or 403 Forbidden request. - `_embedded.errors.logref` (string) A log reference identifier for the error, useful for debugging and support purposes. - `_embedded.errors.message` (string) A human-friendly error message. - `_embedded.errors._links` (object) Links related to this error. - `_embedded.errors._links.self` (object) Link to the resource related to the error. - `_embedded.errors._links.self.href` (string) URL of the related resource. ## Response 422 fields (application/json): - `total` (integer, required) Total number of errors returned. - `_embedded` (object, required) Container for embedded error objects. - `_embedded.errors` (array) List of individual error objects. - `_embedded.errors.code` (string) The error code. The UNKNOWN error code is returned for a 401 Unauthorized or 403 Forbidden request. - `_embedded.errors.logref` (string) A log reference identifier for the error, useful for debugging and support purposes. - `_embedded.errors.message` (string) A human-friendly error message. - `_embedded.errors._links` (object) Links related to this error. - `_embedded.errors._links.self` (object) Link to the resource related to the error. - `_embedded.errors._links.self.href` (string) URL of the related resource.