Real-time / Webhooks

Data Direct: Real-time provides a webhook mechanism for event delivery. A webhook is a web application, deployed to a dedicated URL, which receives banking event data as a JSON request body payload, normally via an HTTP POST operation.

Events delivered via webhooks are sent in JSON formatted data from Apiture Digital Banking (ADB) directly to a Financial Institution (FI) or third-party’s webhook application. The FI or third-party provides Apiture with a URL where their event handling application listens for event messages, and Apiture delivers event messages to that location as the banking events occur within the Apiture Digital Banking platform. When an event occurs, Apiture Digital Banking attempts event delivery in near real-time.

Creating and Managing Webhooks

Webhooks are created and maintained by the Financial Institution or other third-party. Information about the webhook is provided to Apiture via the Developer Portal.

For help with the initial onboarding process, see our onboarding article. This article should be used for reference at the same time as the onboarding article.

To learn more about registering for Data Direct: Real-Time event delivery in the Developer Portal, see the Creating Data Direct: Real-Time Webhooks article.

This article provides guidance for creating a webhook that can process Data Direct: Real-Time events, including the structure of the webhook and reading the provided data. Registration of the webhook on the Developer Portal is required in order to receive event data delivery.

Receiving and Processing Data

An webhook application to receive the event message payloads data must be available via an HTTPS URL. The JSON data sent follows the structure discussed in the Webhook Structure section.

The application must require either a username and password combination or 0Auth 2.0 Client Credentials for Authentication. The Authentication information is provided to Apiture when the webhook is created. More information on this is discussed in the Authentication section.

Apiture pushes new Events to the HTTPS URL and uses the Authentication method to verify it is a secure source of data.

After data is received, the application may process and use the data however it is needed.

Secured Connection Required

Event Webhooks only work over an HTTPS (encrypted) connection. An HTTP connection is not allowed as unencrypted data connections are considered a security risk.

Event Structure

The format description is available at General Structure. The event structure is the same as other event data.

Delivery Failure

Event message delivery via a webhook may fail for several reasons: The webhook URL may not be listening for messages, or the webhook service may return a problem HTTP response code. Event message delivery succeeds if the HTTP status code is 200 OK, 202 Accepted, or 204 No Content. If event message delivery fails, Apiture Digital Banking will attempt to deliver the event again after a short delay. If delivery fails repeatedly, Apiture Digital Banking will temporarily disable event delivery via the webhook until an automatic “health check” test succeeds, indicating the webhook connection is working properly again. See Webhook Health Checks below. Event data accumulated during this time are not lost, but are not delivered in near real-time. The partner may use Apiture APIs to poll for events which occurred during time their event webhook was failing.

Webhook Structure

Apiture requires the following information to create a webhook connection.

Every webhook has a:

URL
list of categories
authorization type
state
[Optional] description

URL

The URL is the location where Events are sent. This location is determined by the FI. This URL is not hosted by Apiture and is usually connected to the FI’s backend for data processing.

Categories

There are many categories of events, which can be used to include or exclude certain event data. For example, if an FI desires a webhook to only monitor wire transfers events, they would only include the wireTransfers category.

There is no limit to the amount of categories that a webhook can have.

To browse the available events and their categories, view our Event Documentation.

Webhook Authorization

Each webhook has an authorizationType property which indicates which type of authentication. The type of Authorization are:

basic
oauthClientCredentials

The details of setting up each Authorization type are detailed in the Authorization section within this article.

Webhook State

Each webhook has a state property which indicates whether events should be routed to it. Some states are set automatically, while others can be requested if needed. The states are:

active:: Events are sent to this webhook.
suspended:: The webhook has been manually suspended. The webhook can be suspended or resumed at any time by using the Apiture Developer Portal.
deactivated:: Apiture has automatically stopped events from being sent to this webhook, because it has had multiple, consecutive failures, such as responding with a 4xx or 5xx error code. Apiture may contact the webhook owner when a webhook is in a deactivated state, if it seems necessary to resolve the issue.

The webhook is be reactivated by Apiture once a successful Webhook Health Check is verified.

Description

This optional field is a human-readable description of the webhook.

Authorization

The authorization type is selected when you register a webhook. All webhooks require authorization. There are two types of authorization methods:

Basic

When the authorization method is Basic, then a Webhook is expected to use a username and password for authorization as per RFC 7617 Basic Authentication.

OAuth / Client Credentials

When the authorization method is Client Credentials, the client supports the OAuth2 Authentication Client Credentials Grant. A Webhook using Client Credentials must to have the following properties provided by the partner:

A clientId, submitted as a one-line string. Do not include line breaks.
A clientSecret, submitted as a one-line string. Do not include line breaks.
A tokenUrl is the URL ,hosted by the partner (not hosted by Apiture) where the partner’ webhoot supports obtaining the Client Credentials access token. The URL must use the https:// protocol.
The scope is the space-delimited scope values Apiture needs to Authenticate with the partner’s application. These scopes are defined by the partner, and are not the scopes associated with Apiture APIs.

As per the OAuth2 Authentication Client Credentials Grant flow The Apiture platform sends an HTTP POST to the webhook’s Token URL, passing the the grant_type of client_credentials and the Client ID, Client Secret, and scope, associated with the webhook’s authorization. This token URL identifies the webhook authorization that implements the OAUth2 token_endpoint.

The webhook token URL must return the standard OAuth2 token_endpoint; the response must include the "access_token" string and the "token_type" string; the token type is typically the string "Bearer". An example response from a POST to the webhook’s token URL is below:

{ "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "token_type": "Bearer",
  "expires_in": 3600
}

Sending Authorization to the webhook

When the platform sends an event message to the webhook, it includes an Authorization: header. For the Client Credentials flow, this header value
consists of the corresponding token_type and access_token returned from the token URL, such as

Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA

for the example above.

If the webhook’s authorization is Basic Auth, the platform sends the standard Basic authorization header, with the encoded username/password associated with the webhook’s registration. For example, if the
webhook’s registration has the username of webhook-user and password insecure-password, the platform will send the following authorization header with each event message sent to the webhook:

Authorization: Basic d2ViaG9vay11c2VyOmluc2VjdXJlLXBhc3N3b3Jk

The partner’s webhook application must validate the required Authorization header and reject invalid or expired access_token values to ensure secure communication.

Webhook Health Checks

A Health Check is a special payload that Apiture Digital Banking platform sends to the webhook URL to test the health of the webhook. When you create a webhook and as part of Apiture activating a webhook after it has been approved, the platform sends a health check payload to the webhook to verify that it is listening and handling event message payloads correctly.

If the webhook does not respond to the health check with a 200-level HTTP response, or it times out and does not respond within a fixed time, then the health check fails. The platform does not activate a webhook if the initial Webhook Health Check fails.

The health check payload is an event message (as defined by the the eventMessageItem schema, with the event message category: system and event message type: webhookHealthCheck. The other required eventMessageItem properties are present in the payload:

id:: the event identifier
occurredAt:: a time stamp (string) in RFC 3339 date-time format
agentType:: the string system.

Below is a JSON object showing a sample event message request body for a webhook health check payload:

{
  "id": "9e202a99023c72010993",
  "category": "system",
  "type": "webhookHealthCheck",
  "occurredAt": "2025-11-06T07:11:44.375Z",
  "agentType": "system",
  "data": {}
}

Once activated, webhook may fail repeatedly when the platform attempts to send banking event messages to it. For example, the webhook service may have stopped listening for messages. When this happens, the platform <em>deactivates</em> the webhook and stops sending events messages to the webhook. The platform periodically sends webhook health checks until the health check returns a 200-level HTTP (success) response code, which indicates that the webhook is healthy. When healthy, the platform reactivates the webhook and resumes sending banking event messages to the webhook URL.

Processing unexpected events

Note: The webhook should not return a 4xx-level or 5xx-level HTTP response code if it detects an event type or category that it does not expect or recognize. (In future releases of the platform, Apiture may add new event types to categories you are subscribed to.)

The webhook should log such events to its internal logs or send developer notifications, so that the webhook owner can periodically check the logs and perhaps refine the categories the webhook is subscribed to, or update the code. When a webhook receives events it does not expect, it should ignore them and return a 2xx-level response code, such as a 204 No Content.