Webhooks
Webhooks
Setting Up Webhooks
When creating your link_session_token
with the POST /link-session
endpoint, you can specify a callback URL with the webhook
field:
MoneyKit currently send three types of webhooks:
After an end user successfully links their financial institution, webhooks for that link will be sent to the URL you provided.
The webhook body will always include the link_id
of the link that was updated.
Webhook Security
The webhook payload is signed and will include a MoneyKit-Signature
header that can be used to authenticate the webhook. Authentication
is optional but encouraged; if you don't authenticate the webhook, you could be open to attack by an impostor sending you fake notifications.
MoneyKit offers a JSON Web Key Set (JWKS) you can fetch and cache in order to verify the signature in the webhook header.
The JWKS is rotated regularly, so you should refetch whenever the kid
on the incoming webhook does not match your cached JWKS kid
.
Note that only one key returned from the JWKS endpoint is meant to be used for verification.
- The
kid
in the webhook JWT header will match up with the key id of one of the keys returned from the JWKS endpoint. - Depending on the language, some JWT packages will handle this for you. You can pass in the Key Set with the token when decoding (instead of a single key).
- To verify the webhook, first extract the
MoneyKit-Signature
from the webhook header, then validate the signature with your cached JWKS using your preferred JWT library.
In case of failures, webhooks will be resent automatically for up to two hours, on an exponential backoff basis, until your endpoint
acknowledges receipt. Each webhook has a unique webhook_idempotency_key
so that you can avoid accidental reprocessing.
Link State Changed Webhook
-
You will receive this webhook when the state of a link has changed.
-
The possible states are:
LinkState -
If the state is
ERROR
, you will be provided an error type:LinkError -
Here are two examples of the Link State Changed webhook:
JSON -
Any link_tags you provide when creating your
link_session_token
with thePOST /link-session
endpoint will be included in the Link State Changed webhook body:
Product Update Webhook
You will receive this webhook after aggregation for a product has been completed.
There are three scenarios in which this will happen:
-
Soon after an end user completes linking their accounts.
-
After requesting a product refresh using the product refresh endpoint.
-
After a scheduled, periodic aggregation.
Here is an example:
Transactions Available Webhook
MoneyKit automatically enriches new transactions after they are received.
You will receive this when new transactions are available for a link. Note that it is possible for the transactions product to send a Product Update webhook, notifying you that an update was complete, but there may be no new transactions. But if there are new transactions, then you will receive a Transactions Available webhook.
Here is an example:
Note that MoneyKit automatically enriches new transactions after they are received, so when you receive this webhook, it is possible that the new transactions are not yet enriched. You will receive a separate Product Update webhook for the "enrichment" product, when that update process is complete.
Testing Webhooks in Sandbox
MoneyKit makes it easy to test webhooks on demand in the sandbox environment.
The Test Link Event webhook allows you to trigger webhooks for any of your sandbox links.