Webhook Endpoints

Register endpoints to receive signed, enriched events.

Register HTTPS endpoints to receive signed, enriched, pre-reconciled events (e.g. deposit.reconciled). Xental signs each delivery and retries with backoff.

Signing secret is shown once

The endpoint's signing secret is returned only at creation. Store it immediately — you'll need it to verify the HMAC-SHA256 signature on every delivery.

Public HTTPS only (SSRF-guarded)

Endpoint URLs must be public https. Private/loopback/link-local hosts are rejected. For local dev, use a tunnel (e.g. ngrok).

Failed deliveries are replayable

Deliveries retry with backoff and are dead-lettered after exhaustion — you can list and replay them rather than losing an event.
get/api/v1/webhook-endpoints

List the account's active webhook endpoints (secrets not returned).

Requires Bearer token

Responses

200OK
GET /api/v1/webhook-endpoints
curl -X GET "https://api.xental.online/api/v1/webhook-endpoints" \
  -H "Authorization: Bearer <API_TOKEN>"
post/api/v1/webhook-endpoints

Register a callback URL. Returns the signing secret once.

Requires Bearer token

Body parameters

urlstringoptional

Responses

201Registered; body carries the one-time signing secret.400URL is not a public HTTPS endpoint.
POST /api/v1/webhook-endpoints
curl -X POST "https://api.xental.online/api/v1/webhook-endpoints" \
  -H "Authorization: Bearer <API_TOKEN>"
delete/api/v1/webhook-endpoints/{id}

Remove (deactivate) an endpoint.

Requires Bearer token

Path parameters

idstringrequired

Responses

204No Content404Not Found
DELETE /api/v1/webhook-endpoints/{id}
curl -X DELETE "https://api.xental.online/api/v1/webhook-endpoints/:id" \
  -H "Authorization: Bearer <API_TOKEN>"
get/api/v1/webhook-endpoints/deliveries

Recent delivery attempts (observability), optionally filtered by status.

Requires Bearer token

Query parameters

statusWebhookDeliveryStatusoptional

Responses

200OK
GET /api/v1/webhook-endpoints/deliveries
curl -X GET "https://api.xental.online/api/v1/webhook-endpoints/deliveries" \
  -H "Authorization: Bearer <API_TOKEN>"
post/api/v1/webhook-endpoints/deliveries/{id}/replay

Requeue a failed/dead-lettered delivery for immediate retry.

Requires Bearer token

Path parameters

idstringrequired

Responses

202Accepted404Not Found
POST /api/v1/webhook-endpoints/deliveries/{id}/replay
curl -X POST "https://api.xental.online/api/v1/webhook-endpoints/deliveries/:id/replay" \
  -H "Authorization: Bearer <API_TOKEN>"