This page is intended as a top-level Webhooks section, since webhook events span multiple platform areas (widget flows and transaction activity) rather than belonging to any single feature.
How it works
- You register a webhook URL on your application in the Developer Portal.
- You select which event types to listen for (or subscribe to all of them).
- When a matching event occurs, Fluz sends an HTTP
POSTto your URL with a signed JSON payload. - Your server verifies the signature, acknowledges with a
2xx, and processes the event.
FAILED.
Webhooks by app type
How events are routed to your app depends on your application model.Private apps — your own account
Webhooks fire for activity on your own account. Any transaction, decline, or deposit on accounts you own triggers webhooks registered on your app. Common use cases: notifications when a virtual card transaction is authorized or settled; real-time alerting on declines; monitoring deposits and balance changes on your spend accounts.Public apps (OAuth) — acting on behalf of users
Webhooks fire for activity on accounts that have authorized your app. When a user grants your app access via OAuth, their events are routed to your registered webhooks — provided the user’s OAuth grant includes the required scopes. This works whether the user interacts through your direct API integration or an embedded widget; the key requirement is an OAuth relationship between the user and your app. Common use cases: monitoring virtual card spend across connected accounts; real-time decline notifications; tracking deposit completions; receiving KYC status updates.Widget apps
Widget apps are a specialized public app. Events route the same way (based on the OAuth relationship), and widget apps additionally support widget-specific events like transfer completions and gift card purchases.Event types
Fluz only delivers an event if your application — and, for public/OAuth apps, the individual user’s OAuth grant — holds the required scopes.Transaction events
Cover the full transaction lifecycle. Apply to all app types.Deposit events
Widget-specific events
Apply to widget and OAuth integrations where users interact through Fluz-embedded flows.📘 Naming note:WIDGET_DEPOSIT_COMPLETEandWIDGET_WITHDRAW_COMPLETEdescribe customer↔app transfers; theDEPOSIT/WITHDRAWwording is historical. Treat “deposit” as “customer → app” and “withdraw” as “app → customer.”
Setting up webhooks
1. Open the Developer Portal
Go to the Developer Portal and select your application.2. Open the Webhooks section
- OAuth apps: OAuth tab → Webhook URLs.
- Widget apps: Widget tab → Webhook URLs.
- API / private apps: the Webhook URLs section in your app settings.
3. Add a webhook URL
Click Add new URL and enter your HTTPS endpoint (e.g.,https://api.yourapp.com/webhooks/fluz).
4. Select events
Choose the event types you want to receive. Leave the selection empty to act as a catch-all and receive every event your app has scopes for.5. Save
Click Create Webhook. Your endpoint begins receiving events immediately.Managing webhooks
- Multiple endpoints — you can register more than one webhook URL per application.
- Change subscribed events — delete the webhook and recreate it with the new event selection.
- Remove a webhook — click Remove next to it. The webhook is archived immediately and stops receiving events.
Receiving webhooks
Request format
Every webhook is delivered as an HTTPPOST with these headers:
The body is a JSON object, and every payload includes an
eventType field identifying the event.
Endpoint requirements
- HTTPS only — plain HTTP endpoints are rejected at registration time.
- Publicly accessible and able to accept
POSTrequests. - Respond with a
2xxwithin 30 seconds. Non-2xxresponses or timeouts trigger retries. - Verify the HMAC signature on every request.
Verifying signatures
Every delivery includes anX-HMAC-Signature header — an HMAC-SHA256 hash of the raw JSON body, signed with your application’s API key. Always verify it before trusting a payload.
⚠️ Verify against the raw request body. Compute the HMAC over the exact bytes Fluz sent — do not re-serialize the parsed JSON. Re-stringifying can reorder keys or change whitespace and cause valid signatures to fail. The examples below capture the raw body for this reason.
Node.js (Express)
Python (Flask)
Responding to webhooks
Your endpoint must:- Respond with a
2xxstatus within 30 seconds. - Return quickly — acknowledge first, then process asynchronously.
- Be reachable over HTTPS.
- Respond with redirects (
3xx). - Respond with
4xx/5xxfor valid webhooks (this triggers retries).
Retry policy
New events resume delivery automatically once your endpoint recovers. To re-send events that already reached
FAILED, contact support with the relevant X-Event-ID.
Event status lifecycle
Idempotency & ordering
Webhooks may be delivered more than once, and delivery order is not guaranteed.- Deduplicate using the
X-Event-IDheader. Persist processed IDs (Redis or a database in production) and skip events you’ve already handled. - Order by data, not arrival. If sequence matters, order by payload timestamps (
createdAt,updatedAt,transactionDateTime) and event IDs.
Identifying the app and user
- User:
userIdis the Fluz user ID. For OAuth/widget events,externalReferenceIdmaps to your user identifier from the OAuth flow. - App: transaction payloads include
connectedAppIdandconnectedAppName. If you route multiple apps to one endpoint, branch onconnectedAppId.
Payload reference
Every payload includes aneventType. Field availability can vary by event; handlers should ignore unrecognized fields for forward compatibility.
Transaction created (TRANSACTION_CREATE)
Fired for any new transaction — virtual card purchases, deposits, transfers, and more.
Transaction updated (TRANSACTION_UPDATE)
Fired when a transaction’s status or details change — for example, when a pending authorization settles.
TRANSACTION_CREATE where present, plus updatedAt (ISO 8601) marking when the change occurred.
🚧 Consistency check: confirmuserIdandconnectedAppId/connectedAppNameare present onTRANSACTION_UPDATE(andTRANSACTION_DECLINE) so consumers can identify the user and app consistently across the lifecycle.
Transaction declined (TRANSACTION_DECLINE)
Fired when a transaction is declined. Includes structured decline reasons your app can act on.
Deposit complete (DEPOSIT_COMPLETE)
Fired when a deposit from a funding source to a spend account completes.
KYC initiation (WIDGET_KYC_INITIATION)
Fired when a user begins identity verification. Public/widget apps only.
Transfer completed — customer to app (WIDGET_DEPOSIT_COMPLETE)
Fired when a user transfers funds to your application.
Transfer completed — app to customer (WIDGET_WITHDRAW_COMPLETE)
Fired when your application transfers funds to a user.
Gift card purchase (WIDGET_PURCHASE_GIFT_CARD)
Fired when a gift card purchase completes through the widget.
🚧 To be completed. Add the WIDGET_PURCHASE_GIFT_CARD payload example and field table (e.g., merchant, amount, gift card identifier).
Common widget payload fields: userId (Fluz user ID), accountId (Fluz account ID), externalReferenceId (your user identifier from the OAuth flow), and amount where applicable.
Best practices
- Respond fast, process later. Return
200immediately and handle the event asynchronously to avoid timeouts and unnecessary retries. - Verify every request. Validate
X-HMAC-Signatureagainst the raw body using your API key before processing. - Deduplicate with event IDs. Track
X-Event-IDto handle retried/duplicate deliveries. - Accept unknown fields. Payloads may gain fields over time; ignore unrecognized ones rather than failing.
- Monitor your endpoint. Alert on repeated non-
2xxresponses — after 5 failures events are markedFAILED.
Troubleshooting
Need help?
- Technical issues: check your endpoint logs and contact support with the
X-Event-ID. - Scope questions: see Application Scopes and Decline Codes.