Webhooks
Webhooks are used to communicate changes to a transaction or other entities within the Hurdlr API. If you subscribe to webhooks, then your server will be alerted every time an entity is modified or a notable lifecycle event occurs.
1. How it works
By subscribing to receive "ENTITY_UPDATE" webhooks, your server can asynchronously fetch updated data at the exact moment it becomes available. When that new data is available, the Hurdlr API will make a POST call to a URL of your choosing with the data needed for your server to update appropriately. This approach ensures your users always have up-to-date data while removing unnecessary polls/refreshes from your server, saving you valuable resources.
By subscribing to receive "LIFECYCLE_EVENT" webhooks, you can trigger timely lifecycle notifications (e.g. push notifications, emails, and/or other alerts) based on timely user actions. For example, if a user's client views their invoice, the Hurdlr API will make a POST call to a URL of your choosing with the data needed for your server to alert your user that their client viewed the invoice.
2. Subscribing to receive webhooks
Hurdlr's API team is here to help! Simply email [email protected] with the subject line "Subscribe to Webhooks", and provide the following info:
a. Your API client_Id
b. Webhook URL for the Sandbox environment
c. Webhook URL for the Production environment
Our API team will respond back within 5 business days with your Sandbox webhook_secret and your Production webhook_secret and will fire off sample webhooks to your Sandbox Webhook URL, for your team to develop/test with.
3. ENTITY_UPDATE
An "ENTITY_UPDATE" webhook will contain a JSON body like the following:
{
"userId": "fake_userId",
"type": "ENTITY_UPDATE",
"entities": ["bankTransfer", "expense", "revenue", "taxPayment"]
}
The possible entities and recommended actions on how to update each given entity are listed below:
| Webhook Type | Entity | Recommended action |
|---|---|---|
| ENTITY_UPDATE | attachments | GET /attachments |
| ENTITY_UPDATE | bankAccount | GET /bankAccounts |
| ENTITY_UPDATE | bankTransfer | GET /bankTransfers |
| ENTITY_UPDATE | business | GET /businesses |
| ENTITY_UPDATE | client | GET /clients |
| ENTITY_UPDATE | expense | GET /expenses |
| ENTITY_UPDATE | expenseCategory | GET /expenses/categories |
| ENTITY_UPDATE | expenseRule | GET /expenses/rules |
| ENTITY_UPDATE | glAccount | GET /glAccounts |
| ENTITY_UPDATE | glEntry | GET /glEntries |
| ENTITY_UPDATE | invoice | GET /invoices |
| ENTITY_UPDATE | invoiceSetup | GET /invoiceSetup |
| ENTITY_UPDATE | payments | GET /payments |
| ENTITY_UPDATE | personalExpenseCategory | GET /expenses/personalCategories |
| ENTITY_UPDATE | plaidItem | GET /plaidItems |
| ENTITY_UPDATE | revenue | GET /revenues |
| ENTITY_UPDATE | revenueRule | GET /revenueRules |
| ENTITY_UPDATE | task | GET /tasks |
| ENTITY_UPDATE | taxEstimates | GET /taxEstimates |
| ENTITY_UPDATE | taxPayment | GET /taxPayments |
| ENTITY_UPDATE | time | GET /times |
| ENTITY_UPDATE | userTaxSetup | GET /userTaxSetup |
| ENTITY_UPDATE | vendor | GET /vendors |
4. LIFECYCLE_EVENT
A "LIFECYCLE_EVENT" webhook will contain a JSON body like the following:
{
"userId": "fake_userId",
"type": "LIFECYCLE_EVENT",
"event": "TRANSACTION_PULL_COMPLETED",
"eventData": {
"integrationName": "PLAID"
}
}
Custom lifecycle events
The Hurdlr API team can customize events to power your ideal user experience. Don't hesitate to email us at [email protected] if you are looking for something that you don't see below.
Some of the possible events and recommended messaging to notify your users are listed below:
| Webhook Type | Event | Example message |
|---|---|---|
| LIFECYCLE_EVENT | BANK_TRANSFER_ADDED | 1 new bank transfer from *3333 needs to be reviewed. |
| LIFECYCLE_EVENT | BANK_TRANSFER_AUTO_TAGGED | 2 new bank transfers were automatically matched. |
| LIFECYCLE_EVENT | BANK_TRANSFER_UPDATED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | EXPENSE_ADDED | 4 new expenses from *3333 need to be tagged. |
| LIFECYCLE_EVENT | EXPENSE_AUTO_TAGGED | 2 new expenses from *3333 were auto-tagged. |
| LIFECYCLE_EVENT | EXPENSE_UPDATED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | INTEGRATION_ADDED | N/A (useful for triggering next set of onboarding steps/messages) |
| LIFECYCLE_EVENT | INTEGRATION_ERROR | Re-link your Citi account |
| LIFECYCLE_EVENT | INVOICE_CREATED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | INVOICE_PAID | Bill Tanner has paid Invoice HUR-121. |
| LIFECYCLE_EVENT | INVOICE_PAYMENT_METHOD_STORED | Bill Tanner has added a card on file for future invoices. |
| LIFECYCLE_EVENT | INVOICE_SETUP_COMPLETED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | INVOICE_VIEWED | Bill Tanner has opened Invoice HUR-121. |
| LIFECYCLE_EVENT | JOURNAL_ENTRY_ADDED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | PAYMENT_PROCESSING_SETUP_COMPLETED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | RECEIPT_ATTACHED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | REVENUE_ADDED | 3 new income transactions from *3332 need to be tagged. |
| LIFECYCLE_EVENT | REVENUE_AUTO_TAGGED | 1 new income transaction from *3332 was auto-tagged. |
| LIFECYCLE_EVENT | REVENUE_UPDATED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | TAX_PAYMENT_ADDED | 1 new tax payment from *3333 needs to be reviewed. |
| LIFECYCLE_EVENT | TAX_PAYMENT_UPDATED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | TAX_SETUP_COMPLETED | N/A (useful for user analytics) |
| LIFECYCLE_EVENT | TRANSACTION_PULL_COMPLETED | Historical transactions are ready to be tagged. |
Additional use cases
The above lifecycle events can be used in varying ways depending on your product's use case. For example, if your product manages corporate/employee spend, it may benefit your user experience to make the
EXPENSE_ADDEDevent trigger a push notification prompting the user to add a receipt image. TheeventDataincluded with theEXPENSE_ADDEDevent contains the information necessary to route the user to the exact transaction that requires a receipt.
5. Webhook Verification
Hurdlr signs every webhook, so that you have the option to verify the webhooks you receive. This helps you protect against a bad actor flooding your server with fake webhooks.
Verifying Webhooks
Hurdlr follows the JSON Web Token (JWT) standard and includes its JWTs in the Hurdlr-Verification HTTP header of the webhook.
To verify a Hurdlr JWT, follow these steps:
-
Extract the
Hurdlr-VerificationHTTP header from the Hurdlr webhook -
Select a JWT library of your choice
-
Pass in HMAC-SHA256 as the signing algorithm to your selected JWT library and then use the library to verify the value of the
Hurdlr-Verificationheader against your webhook_secret, obtained in 2. Subscribing to receive webhooks
import 'dotenv/config';
import express from "express";
import { jwtVerify } from "jose";
const app = express();
// Your secret should be stored base64-encoded
const webhook_secret = Buffer.from(process.env.SECRET, "base64");
app.post("/webhook", express.raw({type: "application/json"}), async (req, res) => {
const jwt = req.get('Hurdlr-Verification');
let payload;
try {
// Verify the JWT using the HMAC-SHA256 signing algorithm
const jwtVerifyResult = await jwtVerify(jwt, webhook_secret, {algorithms: ["HS256"]});
payload = jwtVerifyResult.payload;
} catch (err) {
return res.status(400).send(`JWT failed to verify: ${err.message}`);
}
// ...
});
Note: If your library does not automatically decode the JWT, Base64Url decode the JWT payload and deserialize it into a JSON object.
- Ensure that the webhook is not expired. Verify that the difference between the
iatfield of the payload and the currentNumericDatetimestamp is within your tolerance. Hurdlr recommends a default tolerance of 5 minutes.
app.post("/webhook", express.raw({type: "application/json"}), async (req, res) => {
// ...
// Validate the iat, i.e. make sure the webhook has not expired
// Hurdlr recommends a default tolerance of five minutes
const TIME_TOLERANCE = (60 * 5);
let timestamp = payload.iat;
const now = Math.floor(Date.now() / 1000);
if (now - timestamp >= TIME_TOLERANCE) {
return res.status(400).send("Webhook expired")
}
// ...
});
- Ensure that the webhook was not modified by anyone other than Hurdlr. Verify that the
request_body_sha256field of the payload is equal to the SHA-256 hash of the webhook’s request body.
import { timingSafeEqual } from "node:crypto";
const { subtle } = globalThis.crypto;
app.post("/webhook", express.raw({type: "application/json"}), async (req, res) => {
// ...
// Validate the webhook body hash
const enc = new TextEncoder();
const bodyDigest = await subtle.digest("SHA-256", req.body);
const webhookHash = enc.encode(btoa(String.fromCharCode(...new Uint8Array(bodyDigest))));
const claimHash = enc.encode(payload.request_body_sha256 as string);
if (!timingSafeEqual(webhookHash, claimHash)) {
return res.status(400).send("Webhook payload modified")
}
// Verification succeeded
// You can process the webhook here or call the next handler in your request-response cycle
res.send("Webhook verification succeeded");
});
Once these steps are completed successfully, you can be confident that the webhook came from Hurdlr and that it is safe to process.
Updated 3 days ago