Inbound Webhooks

The Nomba receiver that drives reconciliation.

This is the inbound receiver the bank provider posts to — it drives reconciliation. You don't call it; it's documented so you understand the flow. To receive events, register a webhook endpoint.

Always 200 for a valid signature

The receiver returns 200 even for duplicate, ignored, or unmatched events (so the provider stops retrying); the body says what happened. A bad/missing signature returns 401.

HMAC-SHA256 verified

Requests are verified against your webhook secret over a canonical field string. Duplicates (same reference) are ignored — reconciliation is idempotent.
post/webhooks/nomba

Nomba webhook receiver (HMAC-SHA256 verified).

Public

Responses

200Accepted (processed, duplicate, ignored, or unmatched).401Invalid or missing signature.
POST /webhooks/nomba
curl -X POST "https://api.xental.online/webhooks/nomba"
post/api/v1/webhooks/nomba

Nomba webhook receiver (HMAC-SHA256 verified).

Public

Responses

200Accepted (processed, duplicate, ignored, or unmatched).401Invalid or missing signature.
POST /api/v1/webhooks/nomba
curl -X POST "https://api.xental.online/api/v1/webhooks/nomba"