> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blnkfinance.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhooks

> Use Blnk webhooks to reliably react to ledger events and keep your product in sync-without polling the API.

export const CtaCallout = props => {
  const {title, buttonLabel, href, trackingEvent, buttonTarget, rel = "noopener noreferrer", children} = props;
  const handleCtaClick = () => {
    if (typeof window === "undefined" || !trackingEvent) {
      return;
    }
    try {
      window.dispatchEvent(new CustomEvent("blnk:docs-cta", {
        detail: {
          name: trackingEvent,
          href
        }
      }));
    } catch {}
    try {
      window.posthog?.capture?.(trackingEvent, {
        href
      });
    } catch {}
    const gaPayload = {
      cta_href: href
    };
    try {
      window.gtag?.("event", trackingEvent, gaPayload);
    } catch {}
    try {
      window.dataLayer = window.dataLayer || [];
      window.dataLayer.push({
        event: trackingEvent,
        ...gaPayload
      });
    } catch {}
  };
  const isExternal = typeof href === "string" && (/^https?:\/\//i).test(href);
  const target = buttonTarget ?? (isExternal ? "_blank" : undefined);
  const linkRel = isExternal ? rel : undefined;
  return <section className="cta-callout not-prose relative my-8 w-full min-w-0 overflow-hidden rounded-xl border border-zinc-200 p-5 dark:border-white/10">
      <div className="cta-callout-noise" aria-hidden="true" />
      <div className="cta-callout-layout">
        {title ? <div className="cta-callout-title-row">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 28 28" width="14" height="14" className="cta-callout-icon shrink-0 text-zinc-800 dark:text-zinc-200" aria-hidden="true">
              <g fill="none" fillRule="nonzero">
                <path d="M28 0v28H0V0h28ZM14.691833333333335 27.134333333333334l-0.012833333333333334 0.0023333333333333335 -0.08283333333333333 0.04083333333333334 -0.023333333333333334 0.004666666666666667 -0.016333333333333335 -0.004666666666666667 -0.08283333333333333 -0.04083333333333334c-0.011666666666666667 -0.004666666666666667 -0.022166666666666668 -0.0011666666666666668 -0.028000000000000004 0.005833333333333334l-0.004666666666666667 0.011666666666666667 -0.019833333333333335 0.49933333333333335 0.005833333333333334 0.023333333333333334 0.011666666666666667 0.015166666666666667 0.12133333333333333 0.08633333333333333 0.0175 0.004666666666666667 0.014000000000000002 -0.004666666666666667 0.12133333333333333 -0.08633333333333333 0.014000000000000002 -0.018666666666666668 0.004666666666666667 -0.019833333333333335 -0.019833333333333335 -0.4981666666666667c-0.0023333333333333335 -0.011666666666666667 -0.0105 -0.019833333333333335 -0.019833333333333335 -0.021Zm0.3091666666666667 -0.13183333333333336 -0.015166666666666667 0.0023333333333333335 -0.21583333333333335 0.1085 -0.011666666666666667 0.011666666666666667 -0.0035000000000000005 0.012833333333333334 0.021 0.5016666666666667 0.005833333333333334 0.014000000000000002 0.009333333333333334 0.008166666666666668 0.23450000000000004 0.1085c0.014000000000000002 0.004666666666666667 0.026833333333333334 0 0.03383333333333334 -0.009333333333333334l0.004666666666666667 -0.016333333333333335 -0.03966666666666667 -0.7163333333333334c-0.0035000000000000005 -0.014000000000000002 -0.011666666666666667 -0.023333333333333334 -0.023333333333333334 -0.025666666666666667Zm-0.8341666666666667 0.0023333333333333335a0.026833333333333334 0.026833333333334334 0 0 0 -0.0315 0.007000000000000001l-0.007000000000000001 0.016333333333333335 -0.03966666666666667 0.7163333333333334c0 0.014000000000000002 0.008166666666666668 0.023333333333333334 0.019833333333333335 0.028000000000000004l0.0175 -0.0023333333333333335 0.23450000000000004 -0.1085 0.011666666666666667 -0.009333333333333334 0.004666666666666667 -0.012833333333333334 0.019833333333333335 -0.5016666666666667 -0.0035000000000000005 -0.014000000000000002 -0.011666666666666667 -0.011666666666666667 -0.21466666666666667 -0.10733333333333334Z" strokeWidth="1.1667" />
                <path fill="currentColor" d="M14 2.916666666666667A1.75 1.75 0 0 1 15.750000000000002 4.666666666666667v6.302333333333334L21.207666666666668 7.816666666666667a1.75 1.75 0 0 1 1.75 3.031L17.5 14l5.457666666666667 3.151166666666667a1.75 1.75 0 0 1 -1.75 3.031l-5.457666666666667 -3.1500000000000004V23.333333333333336a1.75 1.75 0 0 1 -3.5 0v-6.302333333333334L6.792333333333334 20.183333333333337a1.75 1.75 0 1 1 -1.75 -3.031L10.5 14 5.042333333333334 10.848833333333333a1.75 1.75 0 0 1 1.75 -3.031l5.457666666666667 3.1500000000000004V4.666666666666667A1.75 1.75 0 0 1 14 2.916666666666667Z" strokeWidth="1.1667" />
              </g>
            </svg>
            <p className="cta-callout-title min-w-0 font-semibold text-zinc-800 dark:text-zinc-200">
              {title}
            </p>
          </div> : null}
        <div className={`cta-callout-body text-sm leading-normal text-zinc-800 dark:text-zinc-200${title ? " cta-callout-body--indented" : ""}`}>
          {children}
        </div>
        <a href={href} target={target} rel={linkRel} onClick={handleCtaClick} data-docs-cta={trackingEvent || undefined} className="cta-callout-button inline-flex items-center justify-center gap-1 rounded-full bg-white px-3 py-1.5 text-sm font-semibold transition hover:bg-zinc-100 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-white/50 dark:bg-white dark:hover:bg-zinc-200">
          {buttonLabel}
          <span className="cta-callout-button-arrow" aria-hidden="true">
            →
          </span>
        </a>
      </div>
    </section>;
};

<Info>Global webhooks are available in version 0.8.4 and later. Signed deliveries require version 0.13.0 and later.</Info>

Blnk sends webhook events to your HTTP endpoints in real time. Your code reacts when a transaction is created, committed, voided, or when a reconciliation completes.

This is critical in financial systems where timing matters. Polling risks gaps: you might miss a window between checks, or waste resources on empty requests.

Webhooks push the exact event to you the moment it happens, so your balances, notifications, and downstream workflows stay accurate and in sync.

<Frame caption="Event-driven flow: Blnk pushes ledger events to your app so you can sync payments, notifications, and other tools without polling">
  <img src="https://mintcdn.com/blnk/9MJwGfwCYUdbRSsI/images/how-webhooks-work.png?fit=max&auto=format&n=9MJwGfwCYUdbRSsI&q=85&s=b3cf8a40fd4afc493e2f95478dceb483" alt="Diagram showing payment provider, your app, and Blnk connected by webhook events to downstream tools" width="3840" height="2400" data-path="images/how-webhooks-work.png" />
</Frame>

Instead of asking Blnk "did anything change?" on a timer, your app listens once and reacts when the ledger moves, keeping your product and tools like payments, notifications, etc. aligned.

***

## Webhook types

Blnk offers two types of webhooks:

* **[Global webhooks](/webhooks/global-webhooks):** A single endpoint for ledger-wide event notifications: resource lifecycle changes, reconciliation outcomes, and system errors.
* **[Transaction hooks](/webhooks/transaction-hooks):** Registered endpoints tied to transactions for workflows that run before or after a transaction is applied.

Here's how they differ:

|                    | Global webhooks                                                        | Transaction hooks                                                                |
| :----------------- | :--------------------------------------------------------------------- | :------------------------------------------------------------------------------- |
| **Configuration**  | In [notification configuration](/advanced/configuration/notifications) | With the [Hooks API](/webhooks/transaction-hooks)                                |
| **When they fire** | On all named lifecycle events                                          | Only on transaction events                                                       |
| **Management**     | Edit Blnk configuration                                                | Update, list, delete via Hooks API                                               |
| **Typical use**    | Global notifications, reconciliation results, system errors            | Related to transaction workflows (validation, enrichment, pipeline side effects) |

***

## Webhook security

<Info>
  Available in version 0.13.0 and later.
</Info>

Blnk signs outbound webhook requests so you can verify they came from your Blnk Core and were not tampered with.

Both **global webhooks** and **transaction hooks** use the same signing scheme.

| Header             | Description                                                                               |
| :----------------- | :---------------------------------------------------------------------------------------- |
| `X-Blnk-Signature` | Hex-encoded HMAC-SHA256 of the signed payload.                                            |
| `X-Blnk-Timestamp` | Unix timestamp in seconds (string), used in the signed payload and for replay protection. |
| `X-Hook-ID`        | The hook identifier (transaction hooks only).                                             |
| `X-Hook-Type`      | `PRE_TRANSACTION` or `POST_TRANSACTION` (transaction hooks only).                         |

To verify a webhook:

<Steps>
  <Step title="Extract headers and raw body">
    Read `X-Blnk-Signature` and `X-Blnk-Timestamp` from the request. Reject requests missing either header.

    <Warning>
      Preserve the **exact raw bytes** of the request body before JSON parsing. Do not use a parsed or re-serialized body-any whitespace or encoding changes will cause verification to fail.
    </Warning>
  </Step>

  <Step title="Build signed payload">
    Concatenate the timestamp and raw body:

    ```
    signed = timestamp + "." + rawRequestBody
    ```
  </Step>

  <Step title="Compute expected signature">
    Compute `HMAC-SHA256` using `server.secret_key` from your [Blnk configuration](/advanced/secure-blnk), then hex-encode:

    ```
    expected = hex( HMAC-SHA256(secret_key, signed) )
    ```
  </Step>

  <Step title="Compare signatures">
    Compare `expected` to `X-Blnk-Signature` using a **constant-time comparison** (e.g. `crypto.timingSafeEqual` in Node.js). If they match, the webhook is authentic.

    <Tip>
      For replay protection, also reject timestamps outside a small window (e.g. ±5 minutes).
    </Tip>

    <CodeGroup>
      ```javascript Node.js theme={"system"}
      import express from "express";
      import crypto from "crypto";

      const app = express();
      const SECRET = process.env.BLNK_SECRET; // must match server.secret_key

      app.use(express.json({ verify: (req, _, buf) => { req.rawBody = buf; } }));

      app.post("/webhook", (req, res) => {
        const sig = req.header("x-blnk-signature");
        const ts = req.header("x-blnk-timestamp");
        if (!sig || !ts) return res.sendStatus(400);

        const expected = crypto.createHmac("sha256", SECRET)
          .update(`${ts}.${req.rawBody}`)
          .digest("hex");

        if (!crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected)))
          return res.sendStatus(401);

        res.sendStatus(200);
      });

      app.listen(3000);
      ```

      ```go Go theme={"system"}
      package main

      import (
        "crypto/hmac"
        "crypto/sha256"
        "encoding/hex"
        "io"
        "net/http"
        "os"
      )

      var secret = []byte(os.Getenv("BLNK_SECRET")) // must match server.secret_key

      func webhook(w http.ResponseWriter, r *http.Request) {
        sig := r.Header.Get("X-Blnk-Signature")
        ts := r.Header.Get("X-Blnk-Timestamp")
        if sig == "" || ts == "" {
          http.Error(w, "missing headers", http.StatusBadRequest)
          return
        }

        body, _ := io.ReadAll(r.Body)
        mac := hmac.New(sha256.New, secret)
        mac.Write([]byte(ts + "." + string(body)))
        expected := hex.EncodeToString(mac.Sum(nil))

        if !hmac.Equal([]byte(sig), []byte(expected)) {
          http.Error(w, "invalid signature", http.StatusUnauthorized)
          return
        }
        w.WriteHeader(http.StatusOK)
      }

      func main() {
        http.HandleFunc("/webhook", webhook)
        http.ListenAndServe(":3000", nil)
      }
      ```

      ```python Python theme={"system"}
      import hmac, hashlib, os
      from flask import Flask, request, abort

      app = Flask(__name__)
      SECRET = os.environ.get("BLNK_SECRET").encode()  # must match server.secret_key

      @app.route("/webhook", methods=["POST"])
      def webhook():
          sig = request.headers.get("X-Blnk-Signature")
          ts = request.headers.get("X-Blnk-Timestamp")
          if not sig or not ts:
              abort(400)

          signed = f"{ts}.".encode() + request.get_data()
          expected = hmac.new(SECRET, signed, hashlib.sha256).hexdigest()

          if not hmac.compare_digest(sig, expected):
              abort(401)
          return "", 200

      if __name__ == "__main__":
          app.run(port=3000)
      ```
    </CodeGroup>
  </Step>
</Steps>

***

## Related docs

<CardGroup cols={2}>
  <Card title="Global webhooks" icon="bell-ring" href="/webhooks/global-webhooks">
    Configure your webhook URL and handle deliveries.
  </Card>

  <Card title="Transaction hooks" icon="plug-zap" href="/webhooks/transaction-hooks">
    Register PRE and POST transaction endpoints.
  </Card>

  <Card title="Supported events" icon="list" href="/webhooks/events">
    Full catalog of global webhook event names.
  </Card>

  <Card title="Notification configuration" icon="bell" href="/advanced/configuration/notifications">
    Environment variables and `blnk.json` settings.
  </Card>
</CardGroup>

***

## Need help?

We are very happy to help you make the most of Blnk, regardless of whether it is your first time or you are switching from another tool.

To ask questions or discuss issues, please [contact us](mailto:support@blnkfinance.com) or [join our Discord community](https://discord.gg/7WNv94zPpx).

<CtaCallout title="Connect your ledger to Blnk Cloud" href="https://cloud.blnkfinance.com/auth/sign-up?utm_source=blnk_docs&utm_medium=documentation&utm_campaign=need-help" buttonLabel="Open Blnk Cloud" trackingEvent="clicked_cloud_signup">
  Sign up and manage your ledger with our back-office dashboard. You can invite teammates to collaborate and manage your ledger operations directly from the dashboard.
</CtaCallout>
