Ebury's webhooks need to access public URLs. If these endpoints are private, your SecOps team should whitelist our IP address. Please request the IP list from your Implementation Manager.

To ensure the authenticity of the webhook message, the service provides a hash signature using the HMAC + SHA256 mechanism. This guarantees that the message was sent by the expected source and hasn't been tampered with during transmission (CLICK HERE TO KNOW MORE)

While the webhook service provides security through the hash signature, JWT (JSON Web Token) or other authentication flows are not provided. Therefore, the signature check using the hash is critical for verifying the message.

Ebury clients can receive notifications through a webhook notification system. Here's a step-by-step guide on how to get started with this system and ensure proper setup:

Register a Secret Key and URL:

• Secret Key: A secret key is used to authenticate and verify the integrity of the webhook requests. You can do so by visiting this API section: Create Secret.

  1. You are required to create only one secret key for the webhook system, but you can register up to three secret keys in total.

  2. If a secret key is compromised, you can generate a new secret key. Once you update the key, Ebury's FX platform will send both the old and new signatures in the header. You should only consider the most recent signature as valid.

• URL: The URL will receive the notifications and process the data accordingly. Refer to this API section: Create Webhook

Clients will receive a webhook notification with:

• X-Signature-1: A hash signature that they can use to verify the authenticity of the message.

• Message Content: Details related to the FX operation or event (e.g., transaction status, customer updates, etc.).

• The message content itself is not encrypted.

To validate the message, clients will need to use the same hashing algorithm with their secret key to ensure the integrity and authenticity of the notification received.

• CREATED
• ANALYSING
• INCOMPLETE
• APPROVED
• REJECTED

• SETTLEMENT_REQUESTED
• CANCEL_REQUESTED
• OPERATION_REQUESTED
• OPERATION_CREATED
• OPERATION_ABORTED
• OPERATION_SETTLED
• OPERATION_COMPLETED
• DOCUMENTS_ACCEPTED
• DOCUMENTS_APPROVED
• CAPPING_RATE_ASSIGNED
• REGISTER_REQUESTED
• REGISTER_FAILED
• REGISTER_SUCCESS
• CONTRACT_AVAILABLE
• EXCHANGE_EVENT_CREATED
• EXCHANGE_EVENT_ERROR
• EXCHANGE_EVENT_COMPLETED

• DEPOSIT
• INTERNATIONAL_DEPOSIT

• WITHDRAW
• INTERNATIONAL_WITHDRAW