POST
/
webhooks
/
subscriptions
Create webhook subscription.
curl --request POST \
  --url https://sandbox.api.openfx.com/v1/webhooks/subscriptions \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'Idempotency-Key: <idempotency-key>' \
  --header 'X-Signature: <api-key>' \
  --header 'X-Timestamp: <api-key>' \
  --data '
{
  "url": "https://example.com",
  "eventTypes": [
    "<string>"
  ],
  "description": "<string>",
  "metadata": {}
}
'
{
  "id": "wsub_01953e1a5f4b700a",
  "url": "https://example.com/webhooks/openfx",
  "status": "active",
  "eventTypes": [
    "payment.completed",
    "payment.failed",
    "payment.returned"
  ],
  "description": "Payment notifications",
  "createdAt": "2026-02-23T12:00:00Z",
  "updatedAt": "2026-02-23T12:00:00Z"
}

Authorizations

Authorization
string
header
required

API key issued at onboarding. Passed as a Bearer token in the Authorization header: Authorization: Bearer <api-key>. Identifies the caller and determines organization scope. Invalid or revoked keys return 401 with error type authentication_error.

X-Signature
string
header
required

Ed25519 or RSA-SHA256 asymmetric signature over the request payload (ADR-0015). Provides request integrity and non-repudiation. The signature covers the HTTP method, path, query string, request body, and timestamp. Invalid signatures return 401 with error type authentication_error.

X-Timestamp
string
header
required

Unix timestamp (seconds) of when the request was signed. Server rejects requests where the timestamp drifts beyond +/-60 seconds from server time to prevent replay attacks. Must match the timestamp used in the signature computation.

Headers

Idempotency-Key
string
required

Idempotency key for this request. UUID v4 recommended. Max 128 characters. 24-hour retention. Same key + same body replays original response with Idempotency-Replayed: true. Same key + different body returns 409 (code: duplicate_idempotency_key). Same key while the original request is still processing returns 409 with a Retry-After header (code: idempotency_key_in_flight).

Maximum string length: 128
Example:

"550e8400-e29b-41d4-a716-446655440000"

Body

application/json
url
string<uri>
required

Fully qualified URL.

Example:

"https://example.com"

eventTypes
string[]
required
description
string
metadata
object

Consumer-defined key-value store. Available on all primary resources. Max 50 keys. Keys must match ^[a-zA-Z0-9_]{1,40}$. Values are strings (max 500 chars) or null.

Response

Webhook subscription created. Signing secret included.

Response returned when creating a webhook subscription. Includes the signing secret which is only available at creation time.

id
string
required

Webhook subscription resource identifier.

Pattern: ^wsub_[A-Za-z0-9]+$
Example:

"wsub_01953e1a5f4b700a"

url
string<uri>
required

Fully qualified URL.

Example:

"https://example.com"

eventTypes
string[]
required

Event types to subscribe to. Use ["*"] for all events.

status
enum<string>
required

Status of a webhook subscription.

Available options:
active,
suspended,
disabled
createdAt
string<date-time>
required

UTC timestamp in RFC 3339 / ISO 8601 format.

Example:

"2026-02-23T12:00:00Z"

signingSecret
string
required

HMAC-SHA256 signing secret for verifying webhook payloads. Store this value securely — it cannot be retrieved again.

description
string
metadata
object

Consumer-defined key-value store. Available on all primary resources. Max 50 keys. Keys must match ^[a-zA-Z0-9_]{1,40}$. Values are strings (max 500 chars) or null.

updatedAt
string<date-time>

UTC timestamp in RFC 3339 / ISO 8601 format.

Example:

"2026-02-23T12:00:00Z"