Skip to main content
Webhooks push real-time event notifications to your server when something happens in your Oak account — a payment completes, a refund is issued, a transfer lands, etc. Register an HTTPS endpoint, store the signing secret, and verify incoming payloads to keep your system in sync without polling.

Methods

Register a webhook

The secret is only returned on register. Store it securely — you need it to verify incoming webhook signatures.

List webhooks

Update a webhook

Toggle a webhook

Enable or disable a webhook without deleting it:

Delete a webhook

Notifications

List all notifications that have been sent to your webhooks:
Get a specific notification:

Signature verification

The SDK exports utilities to verify incoming webhook signatures using HMAC-SHA256 with timing-safe comparison.

Signature header format

The webhook signature is sent in the Oak-Signature header with the format:
The SDK parses the header by key prefix (not position), so the field order does not matter.

Verify a signature

Verify and parse in one step

parseWebhookPayload combines signature verification with JSON parsing, returning a Result:

Express.js example

Always verify webhook signatures before processing payloads. Use express.raw() (not express.json()) to preserve the raw body for signature verification.

Webhook data types

RegisterRequest

Webhook data (response)

Notification

Event types

The Webhook.EventType type includes 75+ events across these namespaces:
  • customer.* — customer lifecycle events
  • provider_registration.* — provider registration events
  • payment.* — payment lifecycle events
  • transaction.* — transaction events
  • dispute.* — dispute events
  • kyc.* — KYC verification events
  • transfer.* — transfer events
  • sell.* — sell (off-ramp) events
  • buy.* — buy (on-ramp) events

Event categories

The Webhook.Category type includes 12 categories: payment_lifecycle, provider_registration_lifecycle, and others that group related events for filtering and routing.