/
30 minute read
March 24, 2022

Webhooks Management

Webhooks are notifications about API events, sent as they occur. The Marqeta platform sends these notifications to an endpoint hosted in your environment and configured to receive and process them. See the About Webhooks guide for more information.

Create a webhook object to represent your webhook endpoint. Configure it with the URL of your webhook endpoint and a set of credentials for accessing that endpoint. You can configure it to send notifications for a single event, a group of events by type, or all event types. To set up multiple webhook endpoints and route different types of event notifications to each, create multiple webhook objects and configure each to send a specific type of event notification to a specific endpoint.

Create webhook

Action: POST
Endpoint: /webhooks

Creates a webhook.

Request body
Fields Description

active

boolean
Optional

Indicates whether the webhook is active.

Allowable Values:

true, false

Default value:
true

config

object
Required

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

config.basic_auth_password

string
Required

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.basic_auth_username

string
Required

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

config.custom_header

object
Optional

Custom headers to be passed along with the request.

Allowable Values:

Valid config.custom_header object

config.secret

string
Optional

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.url

string
Required

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

config.use_mtls

boolean
Optional

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

events

array of strings
Required

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

name

string
Required

Descriptive name of the webhook.

Allowable Values:

1–64 chars

token

string
Optional

Unique identifier of the webhook.

Allowable Values:

1–36 chars

Sample request body
JSON
Copied

Is this helpful?

Yes
No
Response body
Fields Description

active

boolean
Conditionally returned

Indicates whether the webhook is active. This field is returned if you included it in your webhook.

Allowable Values:

true, false

config

object
Returned

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

config.basic_auth_password

string
Returned

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.basic_auth_username

string
Returned

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

config.custom_header

object
Conditionally returned

Custom headers to be passed along with the request.

Allowable Values:

Existing config.custom_header object

config.secret

string
Conditionally returned

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.url

string
Returned

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

config.use_mtls

boolean
Conditionally returned

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

created_time

datetime
Conditionally returned

Date and time when the webhook event was created, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

events

array of strings
Returned

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

last_modified_time

datetime
Conditionally returned

Date and time when the associated object was last modified, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

name

string
Returned

Descriptive name of the webhook.

Allowable Values:

1–64 chars

token

string
Conditionally returned

The unique identifier of the webhook.

Allowable Values:

1–36 chars

Sample response body
JSON
Copied

Is this helpful?

Yes
No

List webhooks

Action: GET
Endpoint: /webhooks

Returns an array of all webhooks.

This endpoint supports field filtering, sorting and pagination.

URL query parameters
Fields Description

active

boolean
Optional

Set to true to return only active webhook configurations.

Allowable Values:

true, false

count

integer
Optional

The number of resources to retrieve.

Allowable Values:

1-10

start_index

integer
Optional

The sort order index of the first resource in the returned array.

Allowable Values:

Any integer

fields

string
Optional

Comma-delimited list of fields to return (field_1,field_2, and so on). Leave blank to return all fields.

Allowable Values:

Comma delimited list of fields, or blank

sort_by

string
Optional

Field on which to sort. Use any field in the resource model, or one of the system fields lastModifiedTime or createdTime. Prefix the field name with a hyphen (-) to sort in descending order. Omit the hyphen to sort in ascending order.

Allowable Values:

lastModifiedTime, createdTime, or any field in the resource model

Response body
Fields Description

count

integer
Conditionally returned

The number of resources to retrieve.

Allowable Values:

1-10

data

array of objects
Conditionally returned

An array of webhooks.

Allowable Values:

Valid webhooks array

data[].active

boolean
Conditionally returned

Indicates whether the webhook is active. This field is returned if you included it in your webhook.

Allowable Values:

true, false

data[].config

object
Returned

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

data[].config.basic_auth_password

string
Returned

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

data[].config.basic_auth_username

string
Returned

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

data[].config.custom_header

object
Conditionally returned

Custom headers to be passed along with the request.

Allowable Values:

Existing config.custom_header object

data[].config.secret

string
Conditionally returned

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

data[].config.url

string
Returned

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

data[].config.use_mtls

boolean
Conditionally returned

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

data[].created_time

datetime
Conditionally returned

Date and time when the webhook event was created, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

data[].events

array of strings
Returned

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

data[].last_modified_time

datetime
Conditionally returned

Date and time when the associated object was last modified, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

data[].name

string
Returned

Descriptive name of the webhook.

Allowable Values:

1–64 chars

data[].token

string
Conditionally returned

The unique identifier of the webhook.

Allowable Values:

1–36 chars

Existing webhook token

end_index

integer
Conditionally returned

The sort order index of the last resource in the returned array.

Allowable Values:

Any integer

is_more

boolean
Conditionally returned

A value of true indicates that more unreturned resources exist.

Allowable Values:

Any integer

start_index

integer
Conditionally returned

The sort order index of the first resource in the returned array.

Allowable Values:

Any integer

Sample response body
JSON
Copied

Is this helpful?

Yes
No

Update webhook custom headers

Action: PUT
Endpoint: /webhooks/customheaders/{token}

Adds or updates a webhook’s custom HTTP headers.

URL path parameters
Fields Description

token

string
Required

The unique identifier of the webhook.

Allowable Values:

Existing webhook token

Request body
Fields Description

custom_header

object
Optional

Custom headers to be passed along with the request.

Allowable Values:

Valid custom_header object

Sample request body
JSON
Copied

Is this helpful?

Yes
No
Response body
Fields Description

active

boolean
Conditionally returned

Indicates whether the webhook is active. This field is returned if you included it in your webhook.

Allowable Values:

true, false

config

object
Returned

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

config.basic_auth_password

string
Returned

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.basic_auth_username

string
Returned

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

config.custom_header

object
Conditionally returned

Custom headers to be passed along with the request.

Allowable Values:

Existing config_custom_header object

config.secret

string
Conditionally returned

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.url

string
Returned

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

config.use_mtls

boolean
Conditionally returned

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

created_time

datetime
Conditionally returned

Date and time when the webhook event was created, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

events

array of strings
Returned

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

last_modified_time

datetime
Conditionally returned

Date and time when the associated object was last modified, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

name

string
Returned

Descriptive name of the webhook.

Allowable Values:

1–64 chars

token

string
Conditionally returned

The unique identifier of the webhook.

Allowable Values:

1–36 chars

Sample response body
JSON
Copied

Is this helpful?

Yes
No

Retrieve webhook

Action: GET
Endpoint: /webhooks/{token}

Retrieves a webhook.

URL path parameters
Fields Description

token

string
Required

The unique identifier of the webhook.

Allowable Values:

Existing webhook token

Response body
Fields Description

active

boolean
Conditionally returned

Indicates whether the webhook is active. This field is returned if you included it in your webhook.

Allowable Values:

true, false

config

object
Returned

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

config.basic_auth_password

string
Returned

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.basic_auth_username

string
Returned

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

config.custom_header

object
Conditionally returned

Custom headers to be passed along with the request.

Allowable Values:

Existing config.custom_header object

config.secret

string
Conditionally returned

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.url

string
Returned

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

config.use_mtls

boolean
Conditionally returned

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

created_time

datetime
Conditionally returned

Date and time when the webhook event was created, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

events

array of strings
Returned

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

last_modified_time

datetime
Conditionally returned

Date and time when the associated object was last modified, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

name

string
Returned

Descriptive name of the webhook.

Allowable Values:

1–64 chars

token

string
Conditionally returned

The unique identifier of the webhook.

Allowable Values:

1–36 chars

Existing webhook token

Update webhook

Action: PUT
Endpoint: /webhooks/{token}

Updates a webhook.

URL path parameters
Fields Description

token

string
Required

The unique identifier of the webhook.

Allowable Values:

Existing webhook token

Request body
Fields Description

active

boolean
Optional

Indicates whether the webhook is active.

Allowable Values:

true, false

Default value:
true

config

object
Required

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

config.basic_auth_password

string
Required

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.basic_auth_username

string
Required

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

config.custom_header

object
Optional

Custom headers to be passed along with the request.

Allowable Values:

Valid config.custom_header object

config.secret

string
Optional

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.url

string
Required

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

config.use_mtls

boolean
Optional

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

events

array of strings
Required

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

name

string
Required

Descriptive name of the webhook.

Allowable Values:

1–64 chars

Response body
Fields Description

active

boolean
Conditionally returned

Indicates whether the webhook is active. This field is returned if you included it in your webhook.

Allowable Values:

true, false

config

object
Returned

Contains the configuration information for the webhook.

Allowable Values:

Valid config object

config.basic_auth_password

string
Returned

Password for accessing your webhook endpoint.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.basic_auth_username

string
Returned

Username for accessing your webhook endpoint.

Allowable Values:

1–50 chars

config.custom_header

object
Conditionally returned

Custom headers to be passed along with the request.

Allowable Values:

Existing config.custom_header object

config.secret

string
Conditionally returned

A randomly chosen string used for implementing HMAC-SHA1.

HMAC-SHA1 provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see Signature Verification.

Allowable Values:

20–50 chars

  • Must contain at least one numeral

  • Must contain at least one lowercase letter

  • Must contain at least one uppercase letter

  • Must contain at least one of these symbols: @ # $ % ! ^ & * ( ) \ _ + ~ ` - = [ ] { } , ; : ' " , . / < > ?

config.url

string
Returned

URL of your webhook endpoint.

Allowable Values:

1–255 chars

  • Must be HTTPS

  • Empty string not allowed

config.use_mtls

boolean
Conditionally returned

Set to true to use MTLS for the webhook.

Allowable Values:

true, false

created_time

datetime
Conditionally returned

Date and time when the webhook event was created, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

events

array of strings
Returned

Specifies the types of events for which notifications are sent.

The wildcard character * indicates that you receive all webhook notifications, or all notifications of a specified category. For example, * indicates that you receive all webhook notifications; transaction.* indicates that you receive all transaction webhook notifications.

NOTE: You can only use the wildcard character with the base type events, not subcategories. For example, you cannot subscribe to cardtransition.fulfillment.* events, but you can subscribe to cardtransition.*.

Allowable Values:

For a comprehensive list of events, see Event Types.

last_modified_time

datetime
Conditionally returned

Date and time when the associated object was last modified, in UTC.

Allowable Values:

Format: yyyy-MM-ddThh:mm:ssZ

name

string
Returned

Descriptive name of the webhook.

Allowable Values:

1–64 chars

token

string
Conditionally returned

The unique identifier of the webhook.

Allowable Values:

1–36 chars

Existing webhook token

Ping webhook

Action: POST
Endpoint: /webhooks/{token}/ping

Pings webhook endpoint.

Send a ping request to your webhook endpoint to validate credentials and connectivity. Your webhook endpoint must be configured to respond.

Configuring your webhook endpoint

This subsection describes the ping request that your webhook endpoint should expect and its expected response.

When the Marqeta platform receives the ping request, it sends a POST request containing the following body to the URL of your webhook endpoint:

JSON
Copied

Is this helpful?

Yes
No

To indicate that it is functioning properly, your webhook endpoint must respond with a status code of "200" (see Signature Verification for a code example that identifies a ping request). The response can optionally include a JSON-formatted body, for example:

JSON
Copied

Is this helpful?

Yes
No

The Marqeta platform then responds to its requestor by echoing, as-is, the response code and body received from your webhook endpoint.

Using the ping facility

To ping a webhook endpoint, send a POST request to /webhooks/{token}/ping and use the token path parameter to specify the webhook to ping. Include an empty, JSON-formatted body in the request, that is:

JSON
Copied

Is this helpful?

Yes
No

The following chain of actions occurs during a successful ping:

  • The Marqeta platform receives the ping request (POST to /webhooks/{token}/ping).

  • The Marqeta platform sends a request to your webhook endpoint.

  • Your webhook endpoint responds with a status code of "200" and an optional body.

  • The Marqeta platform responds to its requestor by echoing, as-is, the response code and body received from your webhook endpoint.

Note
If the customer-hosted endpoint fails to respond within five seconds, the Marqeta platform times out the request and responds with the following message body (where <optional message> represents additional details you can choose to include in the response):
JSON
Copied

Is this helpful?

Yes
No

Failed pings are not automatically retried.

URL path parameters
Fields Description

token

string
Required

The unique identifier of the webhook.

Allowable Values:

Existing webhook token

Response body
Fields Description

pings

array of objects
Returned

An array of ping requests to your webhook endpoint.

Allowable Values:

Valid pings array

pings[].payload

string
Conditionally returned

The payload of the ping request.

Allowable Values:

255 char max

pings[].token

string
Conditionally returned

The unique identifier of the ping request.

Allowable Values:

255 char max

Sample response body
JSON
Copied

Is this helpful?

Yes
No

Resend event notification

Action: POST
Endpoint: /webhooks/{token}/{event_type}/{event_token}

Resends an event notification to your webhook endpoint.

Although you send this request as a POST, all parameters are passed in the URL and the body is empty. The event notification is resent to your webhook endpoint and also returned in the response to this request.

URL path parameters
Fields Description

token

string
Required

The unique identifier of the webhook.

Allowable Values:

Existing webhook token

event_type

string
Required

Specifies the type of event you want to resend.

Allowable Values:

chargebacktransition, digitalwallettokentransition, cardtransition, usertransition, businesstransition, transaction

event_token

string
Required

The token identifying the event for which you want to resend a notification.

Allowable Values:

Existing event token

Join our developer newsletter