Receive transaction history report via webhook

🚧
If you are interested in this functionality please contact your account manager.

Generating account level webhook and secret

Contact your account manager. Provide them with your webhook url and he/she will setup your account level webhook and will provide a secret key for you.

Generating transactions report

To generate report, use the Transactions Report endpoint with deliveryChannel=webhook added to the path.

curl --location 'https://api.staging.bvnk.com/ledger/v1/reports' \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' \
--data '{
    "from": "2024-10-01T00:00:01",
    "to": "2024-11-29T23:59:59",
    "format": "CSV",
    "deliveryChannel": "WEBHOOK",
    "type": "TRANSACTION",
    "walletId":"a:24091341375337:qAOMdpM:1"
}'

The example above will trigger asynchronous transaction report generation for all of your wallets. Once the report is ready it will be send it via webhook.

Other possible parameters are:

Parameter	Type	Required	Description
`from`	String	Yes	Export range from date in format 'YYYY-MM-dd'.
`to`	String	Yes	Export range to date in format 'YYYY-MM-dd'.
`deliveryChannel`	String	No	How the report will be received. Could be one of webhook, email. Defaults to email. In this scenario, please provide `deliveryChannel=webhook`
`format`	String	No	The format of the generated file report. Could be one of csv, json. Defaults to json
`walletId`	String	No	Filter the transactions based on walletId. If omitted all transactions will be included
`type`	String	Yes	The type of report sent, `TRANSACTION`for a transactions report

Handling transaction report created

Webhooks for transaction reports will be sent as an HTTP POST with Content-Type: application/json containing the following payload:

{
  "event": "reportCreated",
  "data": {
    "url": "https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600"
  }
}

You can check that the event name is correct and then download the report. Keep in mind that the link to the report will be active for the next 24 hours. After that the report won't be accessible.

Acknowledging events

BVNK is expecting a 200 status code upon receipt of a webhook that has been successfully sent.

🚧
If your webhook script performs any logic upon receiving a webhook, you should return a 200 status code before completing the logic to prevent timeouts.

Handling duplicate events

Callback endpoints might occasionally receive the same event more than once. We advise you to guard against duplicated event receipts. One way of doing this is logging the events you’ve processed, and then not processing the logged ones.

Webhook validation

The webhook also contain a signature to allow servers to verify the authenticity of the request using a server-side secret key. The key is provided to you by your account manager. The signature is present in the headers as x-signature header.

How the signature is calculated

Concatenate the webhook url, content-type and payload of the webhook
Generate the signature using the Secret Key and hashedBody components.

Below are examples in some popular programming languages

🚧
Be careful!
Make sure you do not parse your HTTP request into an object and then serialize it.
Instead, just get the webhook raw payload as a string.

import org.apache.commons.codec.digest.HmacAlgorithms;
import org.apache.commons.codec.digest.HmacUtils;

import java.net.URI;
import java.net.URISyntaxException;


/**
 * This is a utility class used for validating webhooks from the Crypto Payments product.
 * It provides a way to verify the authenticity of the incoming webhook request.
 */
public class Main {

    /**
     * This is the main method which drives the process of webhook validation.
     * @param args Unused.
     * @throws URISyntaxException If the provided webhook URL is malformed.
     */
    public static void main(String[] args) throws URISyntaxException {
        //EXAMPLE TEST DATA
        /* Secret key that can be found under Settings -> Manage Merchants -> Merchant Name
        in your BVNK merchant account
        */
        String secretKey = "LWExNWYtYjRjYzJiZjRmZGZhNDU5NmFjNWMtYjhmNS00OTFhLWE0YTAtMWUwZjU5YjAwZjJk";

        /* Webhook URL that you've set under Settings -> Manage Merchants -> Webhook URL */
        String webhookUrl = "https://webhook.site/23dcv4a41-d4935-4e16-9ed6-ce812f7bddcd8";

        /* Content-Type needed for concatenating the values */
        String contentType = "application/json";

        /* Body of the webhook. Make sure the webhook payload is escaped correctly with no whitespaces*/
        String payload = "{\"event\":\"statusChanged\",\"url\":\"https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600\"}";

        // Concatenate the webhook URL, Content-Type, and payload
        String hashBody = getBodyToHash(webhookUrl, contentType, payload);

        // Generate the signature
        String signature = generateSignature(secretKey, hashBody);

        // Output the signature
        System.out.println("Generated signature: " + signature);
    }

    /**
     * This method creates a concatenated string from the provided webhook URL, content type, and payload.
     * @param webhookUrl The URL where the webhook will be sent.
     * @param contentType The MIME type of the content.
     * @param payload The actual content body of the webhook.
     * @return A concatenated string of the provided parameters.
     * @throws URISyntaxException If the provided webhook URL is malformed.
     */
    public static String getBodyToHash(String webhookUrl, String contentType, String payload) throws URISyntaxException {
        URI uri = new URI(webhookUrl);
        StringBuilder hashBody = new StringBuilder();
        hashBody.append(uri.getPath());
        if (uri.getRawQuery() != null) {
            hashBody.append(uri.getRawQuery());
        }
        if (contentType != null) {
            hashBody.append(contentType);
        }
        if (payload != null) {
            hashBody.append(payload);
        }

        return hashBody.toString();
    }

    /**
     * This method generates a signature from the provided secret and the hashed body.
     * It uses the HMAC-SHA256 hashing algorithm.
     * @param secret The secret key used to generate the hash.
     * @param hashBody The body that needs to be hashed.
     * @return The HMAC-SHA256 hash of the body, encoded as a hexadecimal string.
     */
    public static String generateSignature(final String secret, String hashBody) {
        return toHex(new HmacUtils(HmacAlgorithms.HMAC_SHA_256, secret).hmac(hashBody));
    }

    /**
     * This is a helper method that converts a byte array to a hexadecimal string.
     * @param bytes The byte array that needs to be converted.
     * @return The hexadecimal representation of the byte array.
     */
    static String toHex(byte[] bytes) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bytes) {
            sb.append(String.format("%02x", b));
        }
        return sb.toString();
    }
}

import hashlib
import hmac
import urllib.parse

def get_body_to_hash(webhook_url, content_type, payload):
    """
    This method creates a concatenated string from the provided webhook URL, content type, and payload.
    :param webhook_url: The URL where the webhook will be sent.
    :param content_type: The MIME type of the content.
    :param payload: The actual content body of the webhook.
    :return: A concatenated string of the provided parameters.
    """
    request_url = urllib.parse.urlparse(webhook_url)
    body_to_hash = f"{request_url.path}{content_type}{payload}"
    return body_to_hash

def generate_signature(secret_key, hash_body):
    """
    This method generates a signature from the provided secret and the hashed body.
    It uses the HMAC-SHA256 hashing algorithm.
    :param secret_key: The secret key used to generate the hash.
    :param hash_body: The body that needs to be hashed.
    :return: The HMAC-SHA256 hash of the body, encoded as a hexadecimal string.
    """
    hashed = hmac.new(secret_key.encode(), hash_body.encode(), hashlib.sha256)
    return hashed.hexdigest()

def validate_webhook():
    """
    This function prints out the signature from inputs.
    """
    # Secret key that can be found under Settings -> Manage Merchants -> Merchant Name in your BVNK merchant account
    secret_key = 'YTczZmM5YTEtZDFhNi00YWU5LTk4ODktMmEzODI1NzBkMDI2ZWFjNDcwNzgtNTRkYi00OTY0LWI5NjAtMzRmOTQ0ZTE5NDQ3'

    # Webhook URL that you've set under Settings -> Manage Merchants -> Webhook URL
    webhook_url = 'https://webhook.site/11488aba-735e-4906-9809-f1a11a91f49f'

    # Content-Type needed for concatenating the values
    content_type = 'application/json'

    # Body of the webhook.
    payload = '{"event":"reportGenerated","url":"https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600"'

    # Concatenate the webhook URL, Content-Type, and payload
    hash_body = get_body_to_hash(webhook_url, content_type, payload)

    # Generate the signature
    signature = generate_signature(secret_key, hash_body)

    # Output the signature
    print(f"Generated signature: {signature}")

validate_webhook()

<?php

/**
 * This method creates a concatenated string from the provided webhook URL, content type, and payload.
 * @param string $webhookUrl The URL where the webhook will be sent.
 * @param string $contentType The MIME type of the content.
 * @param string $payload The actual content body of the webhook.
 * @return string A concatenated string of the provided parameters.
 */
function getBodyToHash($webhookUrl, $contentType, $payload) {
  $requestURL = parse_url($webhookUrl);
  $bodyToHash = $requestURL['path'] . $contentType . $payload;
  

  return $bodyToHash;
}

/**
 * This method generates a signature from the provided secret and the hashed body.
 * It uses the HMAC-SHA256 hashing algorithm.
 * @param string $secret The secret key used to generate the hash.
 * @param string $hashBody The body that needs to be hashed.
 * @return string The HMAC-SHA256 hash of the body, encoded as a hexadecimal string.
 */
function generateSignature($secretKey, $hashBody) {
  $hash = hash_hmac('sha256', $hashBody, $secretKey);

  return $hash;
}

/**
 * This function prints out the signature from inputs.
 */
function validateWebhook() {
  // EXAMPLE TEST DATA
  $secretKey = 'YTczZmM5YTEtZDFhNi00YWU5LTk4ODktMmEzODI1NzBkMDI2ZWFjNDcwNzgtNTRkYi00OTY0LWI5NjAtMzRmOTQ0ZTE5NDQ3';
  $webhookUrl = 'https://webhook.site/11488aba-735e-4906-9809-f1a11a91f49f';
  $contentType = 'application/json';
  $payload = '{"event":"reportGenerated","url":"https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600"}';

  // Concatenate the webhook URL, Content-Type, and payload
  $hashBody = getBodyToHash($webhookUrl, $contentType, $payload);

  // Generate the signature
  $signature = generateSignature($secretKey, $hashBody);

  // Output the signature
  echo "Generated signature: " . $signature;
}

validateWebhook();

?>

const CryptoJS = require("crypto-js");

/**
 * This method creates a concatenated string from the provided webhook URL, content type, and payload.
 * @param webhookUrl The URL where the webhook will be sent.
 * @param contentType The MIME type of the content.
 * @param payload The actual content body of the webhook.
 * @return A concatenated string of the provided parameters.
 */
function getBodyToHash(webhookUrl, contentType, payload) {
  const requestURL = new URL(webhookUrl);
  const bodyToHash = `${requestURL.pathname}${contentType}${payload}`;

  return bodyToHash;
}

/**
 * This method generates a signature from the provided secret and the hashed body.
 * It uses the HMAC-SHA256 hashing algorithm.
 * @param secret The secret key used to generate the hash.
 * @param hashBody The body that needs to be hashed.
 * @return The HMAC-SHA256 hash of the body, encoded as a hexadecimal string.
 */
function generateSignature(secretKey, hashBody) {
    const hasher = CryptoJS.HmacSHA256(hashBody, secretKey);
    const hashInHex = CryptoJS.enc.Hex.stringify(hasher);
  
    return hashInHex;
}

/**
 * This function prints out the signature from inputs.
 */
function validateWebhook(){
  // EXAMPLE TEST DATA
  // Secret key that can be found under Settings -> Manage Merchants -> Merchant Name in your BVNK merchant account
  const secretKey = 'YTczZmM5YTEtZDFhNi00YWU5LTk4ODktMmEzODI1NzBkMDI2ZWFjNDcwNzgtNTRkYi00OTY0LWI5NjAtMzRmOTQ0ZTE5NDQ3';

  // Webhook URL that you've set under Settings -> Manage Merchants -> Webhook URL
  const webhookUrl = 'https://webhook.site/11488aba-735e-4906-9809-f1a11a91f49f';

  // Content-Type needed for concatenating the values
  const contentType = 'application/json';

  // Body of the webhook.
  const payload = '{"event":"reportGenerated","url":"https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600"}';

  // Concatenate the webhook URL, Content-Type, and payload
  let hashBody = getBodyToHash(webhookUrl, contentType, payload);

  // Generate the signature
  let signature = generateSignature(secretKey, hashBody);

  // Output the signature
  console.log(`Generated signature: ${signature}`);
}

validateWebhook();

using System;
using System.Security.Cryptography;
using System.Text;
using System.Web;

class Program
{
    static void Main()
    {
        ValidateWebhook();
    }

    /*
     * This method creates a concatenated string from the provided webhook URL, content type, and payload.
     */
    static string GetBodyToHash(string webhookUrl, string contentType, string payload)
    {
        Uri requestUrl = new Uri(webhookUrl);
        string bodyToHash = $"{requestUrl.AbsolutePath}{contentType}{payload}";

        return bodyToHash;
    }

    /*
     * This method generates a signature from the provided secret and the hashed body.
     * It uses the HMAC-SHA256 hashing algorithm.
     */
    static string GenerateSignature(string secretKey, string hashBody)
    {
        using (var hmac = new HMACSHA256(Encoding.ASCII.GetBytes(secretKey)))
        {
            var hash = hmac.ComputeHash(Encoding.ASCII.GetBytes(hashBody));
            return BitConverter.ToString(hash).Replace("-", "").ToLower();
        }
    }

    /*
     * This function prints out the signature from inputs.
     */
    static void ValidateWebhook()
    {
        // Secret key that can be found under Settings -> Manage Merchants -> Merchant Name in your BVNK merchant account
        const string secretKey = "YTczZmM5YTEtZDFhNi00YWU5LTk4ODktMmEzODI1NzBkMDI2ZWFjNDcwNzgtNTRkYi00OTY0LWI5NjAtMzRmOTQ0ZTE5NDQ3";

        // Webhook URL that you've set under Settings -> Manage Merchants -> Webhook URL
        const string webhookUrl = "https://webhook.site/11488aba-735e-4906-9809-f1a11a91f49f";

        // Content-Type needed for concatenating the values
        const string contentType = "application/json";

        // Body of the webhook.
        const string payload = "{\"event\":\"reportGenerated\",\"url\":\"https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600\"}";

        // Concatenate the webhook URL, Content-Type, and payload
        string hashBody = GetBodyToHash(webhookUrl, contentType, payload);

        // Generate the signature
        string signature = GenerateSignature(secretKey, hashBody);

        // Output the signature
        Console.WriteLine($"Generated signature: {signature}");
    }
}

require 'openssl'
require 'uri'
require 'json'

# This method creates a concatenated string from the provided webhook URL, content type, and payload.
# @param webhook_url [String] The URL where the webhook will be sent.
# @param content_type [String] The MIME type of the content.
# @param payload [String] The actual content body of the webhook.
# @return [String] A concatenated string of the provided parameters.
def get_body_to_hash(webhook_url, content_type, payload)
  request_url = URI.parse(webhook_url)
  body_to_hash = "#{request_url.path}#{content_type}#{payload}"

  return body_to_hash
end

# This method generates a signature from the provided secret and the hashed body.
# It uses the HMAC-SHA256 hashing algorithm.
# @param secret_key [String] The secret key used to generate the hash.
# @param hash_body [String] The body that needs to be hashed.
# @return [String] The HMAC-SHA256 hash of the body, encoded as a hexadecimal string.
def generate_signature(secret_key, hash_body)
  digest = OpenSSL::Digest.new('sha256')
  hmac = OpenSSL::HMAC.hexdigest(digest, secret_key, hash_body)

  return hmac
end

# This function prints out the signature from inputs.
def validate_webhook
  # EXAMPLE TEST DATA
  # Secret key that can be found under Settings -> Manage Merchants -> Merchant Name in your BVNK merchant account
  secret_key = 'YTczZmM5YTEtZDFhNi00YWU5LTk4ODktMmEzODI1NzBkMDI2ZWFjNDcwNzgtNTRkYi00OTY0LWI5NjAtMzRmOTQ0ZTE5NDQ3'

  # Webhook URL that you've set under Settings -> Manage Merchants -> Webhook URL
  webhook_url = 'https://webhook.site/11488aba-735e-4906-9809-f1a11a91f49f'

  # Content-Type needed for concatenating the values
  content_type = 'application/json'

  # Body of the webhook.
  payload = '{"event":"reportGenerated","url":"https://coindirect-filestore.s3.amazonaws.com/com.bvnk.reports.BackgroundReport/b9ee2544-b838-4c37-9051-3974c4d19fef.csv?X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCWV1LXdlc3QtMSJHMEUCIQChnP0FdjPn0tJ8HMz%2BsKwRgHwvqKO8shW1Fs1R57FfuwIgYHtQLOrJoY2WiKHO3SmAAcVHUqptlzakFz6XM9tkkSMqkwUIqf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwzODU0ODUwMzkxMTEiDAxHTlmQuRKIa3%2FGMSrnBDRX%2BpF1M9F%2FKDbtH3mxQvG1nORC%2BTcxgrNnTFmYcjpr%2BLFpa22PnVrbPXFEaMnsCzySRqgi%2FBz4QNUAZdGvvDZswQFh53a2pC5gmQN3xWd1pzfzkeOaZwVgbyaq1dsTteLQhZdI9lzJG7ceXaLyHWw23P%2B3JocLJKqRp0ugdc3Ksj3RhtgerqxRx80mToq98xB7ndjhoWyVTALQ4Bk7dpBEzoF8ZpQ8zC46uJufwmazn8tZDJK%2Fg603djWfMfCR53lpenLtIxxWD0Feph2IoI5arn2XF%2BZqCg2j8kWAriMYyfOohG1SLcHzjozscsCWNlZgsFJBCypiZltnnUGbPLhUjtodW6a8F7Oib6yB5wEIGcVcvUj1obq%2FL7%2FN78wHaRH5PlzcD%2F9Z%2BoqBPwu%2BKSgl8QTNp%2FG8cO8KwXvm4Gq6%2Fix%2FZMKsfLjPWQ%2BCeZTfm8t9WBFPd5Var89rfZIr26pz5R8XAtIMmVqY8mbLZeDKVem5DwVt1fwBlDb%2BKC9cdduWLfuAFh6kRTG744d71XCetYTw8TUMdZ7emcVHk%2BjHC8qHqwE1bYsG0DAoXJ%2BARW6xwqAxID%2FjkmhJ8Nn%2B07UBtHU6UPhHhCpBLYCu%2B75%2BLwkoqOUWQsm9CJ7ePpDaMT%2B9ovmnolv%2BuRoIhfcKhx3aZSLm2uhrF%2FL4AcdXS%2BNitALmNL5c8F6RX6esQzpuksmLHxq8aFTfz1vEgbklG%2BTES9bsYF8B8vV%2FSNz6VyRohQGGxgEKTgj2%2Bxmr35HpeO86jbz6EU3qHtCF662TCRBlXgnqkQqjzyNVzYrKAu86NFrwIinemjCs9amxBjqbAaIBk%2BWvSyb%2FTVqBq%2FPJSgDaMlmDsWvFMDgY4XcSHx1XuIpTrZxHDErObDG2oHG2VacFUtQw2aeK8OEig94pWd%2B9QhtBiMjbu0LX4IJhX7vNFZ%2BMKC4U7wQJ0lu3SbYwHFNQWWkx07ajTN24DruGQkrbgG%2BzG6u1WoXnr35cUrR0fJUnhqcb0ILVBA7gDpgoW1Xyiz7Bg0mnIKjb&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240425T155243Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86394&X-Amz-Credential=ASIAVTQFS4YDTMPXPNXR%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=872cc212faa8676dcb492f195ddfd9de054e7cf2024165f0d795f9c5b56e9600"}'

  # Concatenate the webhook URL, Content-Type, and payload
  hash_body = get_body_to_hash(webhook_url, content_type, payload)

  # Generate the signature
  signature = generate_signature(secret_key, hash_body)

  # Output the signature
  puts "Generated signature: #{signature}"
end

validate_webhook

The signature will be available in the header of the webhook, x-signature.

Every new webhook will have a new value of the x-signature header. Make sure you are comparing the hash to the right header.