Overview
Webhook events are sent during a Link session as the end user interacts with the application. You can track progress through this session( linkId ), get information about end user usage, and receive notifications when certain processes are complete.
Whether you integrate through WhiteLabel or API Only, some API statuses will also be sent to you via webhook.
You can also choose to turn off or turn on the above two types of webhooks in the Console. Only when enabled, will you be asked to configure a webhook address and send corresponding the event to the webhook.
Based on the regulatory and compliance requirements of the Open finance, we have launched specific data products for regulated financial institutions (FI). Please select the following specific method based on whether your company is regulated by the central bank or Open finance.
When you are ready to go live and move your application to production, you can obtain the accessKey and secretKey for production environment through Klavi business personnel([email protected]) or Klavi console, and set your webhook URL.
Klavi defaults to using the secretkey and SHA-256 HMAC algorithm to sign the payload.
If we get a 2xx response from your webhook listener server, the webhook event is registered as a success. For any non-200 HTTP status code (failed event), we will resend the webhook.
Default retries configurations:
- Timeout: 10s
- Retries: 5
- Backoff for automatic retries: 250ms Exponential
- Max redirects: 3
The following parameter will be included in the request header that Klavi POST to you, otherwise it will not be present.
Name | Description |
partnerAppId | Unique identifier for partner |
eventId | Unique identifier for the event |
eventType | api: All events related to API call |
eventName | The name of each event |
eventTime | The time when this event was triggered(UTC timezone) |
payload | All events include a wrapper that contains metadata. The event data is within the this key, different events result in different payload contents. |
externalInfo | If you specified custom events via the externalInfo parameter when generating a links, you will receive the object( externalInfo ) back in the body for all other link event type |
Example: Pass the externalInfo object in a generate links call to receive the started event notification.
After the link is successfully created, the parameters you pass will be returned to you through webhook.
In order to improve the system performance of both parties, Payload uses array objects, which means multiple events may be merged into one JSON and sent to you.
If you’re using webhooks for sensitive or critical information, we recommend that you verify the signature of the webhook. Tips for Best Practice:
Create a SHA-256 HMAC of the request body using your secretKey as the key
Compare it to the signature included on the x-klavi-signature header. If the two are equal then the request is valid, otherwise, it is spoofed.
Store the eventId and ignore webhooks with an ID that have already been processed to prevent replay attacks.
The x-klavi-signature and x-klavi-timestamp header gets added to every event sent.
Here is an example of signature verification in NodeJS: