Skip to main content
All webhooks sent by the Grid API include a signature in the X-Grid-Signature header, which allows you to verify the authenticity of the webhook. This is critical for security, as it ensures that only legitimate webhooks from Grid are processed by your system.

Signature Verification Process

  1. Obtain your Grid public key
    • This is available in your dashboard under Developers webhook settings.
    • The key is in PEM format and can be used with standard cryptographic libraries
  2. Verify incoming webhooks
    • Extract the signature from the X-Grid-Signature header
    • Decode the base64 signature
    • Create a SHA-256 hash of the entire request body
    • Verify the signature using the Grid webhook public key and the hash
    • Only process the webhook if the signature verification succeeds

Verification Examples

Node.js Example

Python Example

Testing

To test your webhook implementation, you can trigger a test webhook from the Grid dashboard. This will send a test webhook to the endpoint you provided during the integration process. The test webhook will also be sent automatically when you update your platform configuration with a new webhook URL. An example of the test webhook payload is shown below:
You should verify the signature of the webhook using the Grid public key and the process outlined in the Signature Verification Process section and then reply with a 200 OK response to acknowledge receipt of the webhook.

Security Considerations

  • Always verify signatures: Never process webhooks without verifying their signatures.
  • Use HTTPS: Ensure your webhook endpoint uses HTTPS to prevent man-in-the-middle attacks.
  • Implement idempotency: Use the id field to prevent processing duplicate webhooks.
  • Timeout handling: Implement proper timeout handling and respond to webhooks promptly.

Retry Policy

The Grid API will retry webhooks with the following policy based on the webhook type:
Webhook TypeRetry PolicyNotes
TESTNo retriesUsed for testing webhook configuration
OUTGOING_PAYMENT.*Retry with exponential backoff up to 7 days with maximum interval of 30 minsNo retry on 409 (duplicate webhooks)
INCOMING_PAYMENT.*Retry with exponential backoff up to 7 days with maximum interval of 30 minsNo retry on: 409 (duplicate webhook) or PENDING status since it is served as an approval mechanism in-flow
BULK_UPLOAD.*Retry with exponential backoff up to 7 days with maximum interval of 30 minsNo retry on 409 (duplicate webhooks)
INVITATION.*Retry with exponential backoff up to 7 days with maximum interval of 30 minsNo retry on 409 (duplicate webhooks)
CUSTOMER.*Retry with exponential backoff up to 7 days with maximum interval of 30 minsNo retry on 409 (duplicate webhooks)
ACCOUNT.*Retry with exponential backoff up to 7 days with maximum interval of 30 minsNo retry on 409 (duplicate webhooks)