Cellbunq Developer Hub

Set Up Your Webhooks

Welcome to the webhook setup section! Configure your webhook preferences to stay informed about key events.

Webhook Events

Choose the events you want to receive notifications for:

✅ onInit: Stay informed about the initialization process.
✅ onAction: Receive updates for user actions.
✅ onKYCSubmit: Receive notifications when KYC submission occurs.
✅ onIdVerificationComplete: Get notified when user verification is complete.
✅ onOnboarding: Custom webhook event for onboarding.

Webhook Configuration in Admin Panel

Follow these steps to configure a new webhook in your admin panel:

Log in to the Admin Panel.
Navigate to "Settings" in the left sidebar and find the "Webhook Configuration" tab.
Click "Add New" to create a new webhook.
Select the desired "Webhook Type" from the dropdown.
Enter the desired "Webhook URL" where you want to receive POST notifications.
Click "Save" or "Submit" to save your webhook configuration.

IP Whitelisting (Optional)

For enhanced security, whitelist our IP address to ensure only authorized requests are accepted.

Congratulations! You have successfully configured a webhook.

For additional details and troubleshooting, refer to your application's documentation or contact support.

Note: Ensure that your webhook endpoint is secure and configured to accept only POST requests for successful integration.

Webhook Signature Verification

To ensure the authenticity of webhook requests, we generate an HMAC SHA256 signature using a merchant-specific API KEY secret. Merchants can verify the signature on their end to confirm the request's integrity.

How to Get the API KEY

Follow these steps to configure a API KEY in your admin panel:

Log in to the Admin Panel.
Navigate to "Settings" in the left sidebar and find the "API Credentials" tab.
Generate an API KEY. Keep the API KEY to verify the payload of webhook Cellbunq sent to your webhook url.

Webhook Request Headers

Each webhook request includes a signature in the X-Payload-Signature header:

X-Payload-Signature: <generated_signature>

Verifying the Signature

To verify the webhook request, the merchant should:

Retrieve the payload from the request body.
Generate a signature using their stored API KEY.
Compare it with the X-Payload-Signature value in the request header.

import hmac
import hashlib
import json
 
MERCHANT_SECRET_KEY = "GENERATED_API_KEY"  # Merchant's stored secret key
 
def verify_signature(received_payload: dict, received_signature: str) -> bool:
    """Verify the webhook signature."""
    payload_str = json.dumps(received_payload, separators=(",", ":"))
    expected_signature = hmac.new(
    MERCHANT_SECRET_KEY.encode(), payload_str.encode(), hashlib.sha256
    ).hexdigest()
 
    return hmac.compare_digest(expected_signature, received_signature)
 
# Simulated received webhook request
received_payload = ```json
    {
        "email": "john.doe@example.com",
        "reference_id": null,
        "client_reference_id": "123e4567-e89b-12d3-a456-426614174001",
        "mode": "Accepted",
        "group_name": "ABC Company",
        "group_token": "456e7890-f12c-34d5-6789-012345678901",
        "created_at": "2023-01-15 08:30:00"
    }
 
received_signature = "signature_from_webhook_header"  # Extract from 'X-Payload-Signature' header
 
# Verify the signature
if verify_signature(received_payload, received_signature):
    print("Webhook is verified")
else:
    print("Webhook verification failed!")

Individual Pan Card Verification by Number onInit