POST request for a dispute.
In production, you will host this service on your own server.
When testing the service in your private sandbox, you must run the server locally and expose it to the internet through a secure tunnel.
There are many tools available to set up a secure tunnel, such as ngrok, Cloudflare Tunnel, or Tailscale Funnel.
This guide describes how to set up a secure tunnel using ngrok.
By the end of this guide, you will understand how to:
- Implement a testing webhook API for dispute events locally.
- Serve your webhook handler via ngrok for testing in the private sandbox.
- Send a
POSTrequest to the Private Sandbox environment.
Prerequisites
Ensure that you have set up the following before beginning:- A Marqeta account with access to the private sandbox
- Your program short code and base64-encoded credentials
- Node.js installed (if using the boilerplate app)
- An ngrok account with the CLI installed
Implementing an API or webhook handler app
To receive and process Marqeta events, you must implement a local server app with aPOST endpoint that listens for these events.
A single webhook handler can receive events from multiple services in the Marqeta platform.
Installing a boilerplate app to handle webhooks
Marqeta provides you with a boilerplate app to test webhook handling.
Download the Node JS Disputes webhook handler app by clicking here. (ZIP file, 45 KB)
Creating your own app to handle webhooks
If you do not want to use the Node JS Disputes webhook handler app, you can write your own code to implement a webhook handler app. Your webhook handler must have aPOST endpoint in a path of your choice, for example /disputes.
Listening for disputes events
For disputes handling, configure your endpoint to listen for these events:- Transaction webhooks - Marqeta sends transaction webhooks whenever funds move between any entities on the Marqeta platform.
- Chargeback transition webhooks - Marqeta sends chargeback transition webhooks during every state transition of a chargeback. Marqeta triggers an event each time the status changes.
-
Case events webhooks -
Case events represent actions that do not involve immediate money movement or standard status changes.
Examples include:
- Smart reject: When Marqeta rejects a transaction before it is submitted to the card network.
- Provisional credit: When a credit becomes permanent for Reg E cases.
- Case transitions webhooks (optional) - These webhooks track internal state transitions from Marqeta. They provide updates on case movements before a dispute is submitted to the card network. This step is optional because your organization will initiate the API calls that trigger these transitions.
Tunneling your server to the internet with ngrok
With your server running locally, you can expose it to the public internet by completing the following steps:Create or sign in to your ngrok account and install the CLI.
Complete the initial steps in ngrok’s Setup Guide.
Find your unique domain in the ngrok dashboard.
This is the domain your local server will have on the public internet.

Run the command
ngrok http --url <your_ngrok_domain> <port_for_your_app> to expose your domain to the public internet.Submitting a webhook request
With your webhook handler app ready to receive requests from Marqeta, send aPOST request to the /webhooks endpoint in your private sandbox environment.
Sample request body
Theevents array in the examples below uses "*" to subscribe to all event types, which is convenient for sandbox testing.
In production, you can limit this to only the events your integration needs.
For disputes, use the following events:
-
Include the path to your
POSTendpoint in theurl, not only your ngrok domain. -
A
secretfor request signatures is not required, but if you provide it you must also send asignature_algorithmas well.HMAC_SHA_256is recommended. -
Provide a
tokento identify the specific webhook.Note the following before you use the sample request:- If you are using a
secretfor request signatures, thesecretmust be 20–50 characters long. basic_auth-passwordmust be 20–50 characters long.
- If you are using a
- A
secretfor request signatures is not required, but if you provide it you must also send asignature_algorithmas well.HMAC_SHA_256is recommended. - Provide a
tokento identify the specific webhook.
Sample response body
Response Example
Response Example
JSON
secret, basic_auth_username, and basic_auth_password are expected and indicate that the values were saved successfully.Testing the webhook handling app
You can test your webhook handling app by simulating a transaction. Check your server logs to ensure your service receives the payload.Sample webhook log
Webhook Log Example
Webhook Log Example
