Guides
Start typing to search…

Webhooks

Webhooks allow your application to receive real-time notifications about events that take place within the platform. Instead of continuously polling our API for updates, webhooks push data to your application when events occur.

Delivery

Webhook events are delivered with a retry policy. After 3 attempts the event will be marked as a failed delivery.
Previous events can be queried by using the webhook/{webhookId}/events endpoint.

Webhook Signature Verification

When an event occurs, we'll send a POST request to your webhook URL with:

  • The event data in the request body
  • A signature in the X-Webhook-Signature header

To verify that the webhook came from our system and wasn't tampered with:

  • Get the signature from the X-Webhook-Signature header
  • Compute an HMAC-SHA256 signature using your webhook token and the raw request body
  • Compare the computed signature with the one in the header
/**
* Validates a webhook signature
* @param {string} payload - The raw request body as a string
* @param {string} signature - The signature from X-Webhook-Signature header 
* @param {string} webhookToken - Your webhook token 
* @returns {boolean} - Whether the signature is valid 
*/
function validateWebhookSignature(payload, signature, webhookToken) {
  const crypto = require('crypto'); 
  // Create HMAC using the webhook token
  const hmac = = crypto.createHmac('sha256', webhookToken);
  
  //Update with the payload
  hmac.update(payload);
  
  // Get the computed signature as hex
  const computedSignature = hmac.digest('hex');
  
  //// Compare signatures (using constant-time comparison to prevent timing attacks)
  return crypto.timingSafeEqual( 
    Buffer.from(computedSignature, 'hex'),
    Buffer.from(signature, 'hex')
  );
}
/// <summary>
/// Validates a webhook signature
/// </summary>
/// <param name="payload">The raw request body as a string</param> 
/// <param name="signature">The signature from X-Webhook-Signature header</param> 
/// <param name="webhookToken">Your webhook token</param>
/// <returns>Whether the signature is valid</returns> 
public bool ValidateWebhookSignature(string payload, string signature, string webhookToken)
{
  using (var hmac = new       System.Security.Cryptography.HMACSHA256(System.Text.Encoding.UTF8.GetBytes(webhookToken)))
  {
    // Compute the hash
    byte[] hash = hmac.ComputeHash(System.Text.Encoding.UTF8.GetBytes(payload));
    
    // Convert to hex string
    string computedSignature = BitConverter.ToString(hash).Replace("-", "").ToLower();
    
    // Compare signatures
    return string.Equals(computedSignature, signature, StringComparison.OrdinalIgnoreCase);
    
  }
}

Events

Please refer to the following link for a link of supported events: https://api-docs.monark-markets.tech/reference/webhook-events

IP Whitelisting

For webhook IP whitelisting configuration, please ensure that the following IP addresses are added to your allowlist to enable proper communication with our webhook endpoints.

The sandbox environment webhook traffic will originate from

  • 5.161.56.181/32

while production webhook requests will be sent from

  • 107.20.245.176/32

These CIDR-formatted IP addresses should be configured in your firewall rules, security groups, or webhook endpoint access controls to allow inbound HTTPS traffic from Monark's systems.

Updated 17 days ago