Skip to main content
Webhooks send event notifications to your endpoint when something happens in Guardian. Guardian uses tiny event payloads that describe what happened. You need to use the API to fetch more details if needed.

How webhooks work

  1. Event occurs: A token operation or system event happens in Guardian.
  2. Notification sent: Guardian sends a webhook payload to your configured endpoint.
  3. Process payload: Your endpoint receives a lightweight event description.
  4. Fetch details: Use the API to fetch full details if needed.

Configuration

Callback behavior and payload signing are documented on the endpoint that registers the webhook (see Register webhook for more details).

Security

  • Webhook payloads are signed so you can verify authenticity.
  • Configure secure (HTTPS) endpoints.
  • Validate webhook signatures before processing requests.

HMAC signing

The x-hmac-signature header is a base16-encoded (hex) Message Authentication Code (MAC) generated from the raw request payload using your HMAC key and SHA256.

How to verify

  1. Calculate the HMAC using:
    • The raw payload you received in the webhook body
    • Your HMAC key
    • The SHA256 hashing function
  2. Compare the calculated value with the x-hmac-signature header you received.
If they match, the webhook was sent by Guardian and was not modified in transmission.