When Obiex sends webhook events (e.g., deposits, withdrawals), it includes a security header so you can verify the request came from Obiex.
Setting Up Webhooks
- Log in to your Obiex dashboard
- Navigate to Settings > Developers > Webhook Url
- Add your webhook endpoint URL
- Copy your Signature Secret
Signature Verification
All webhook requests include the header:
x-obiex-signature: <HMAC-SHA512 hex digest>
Verifying the Signature
- Read the raw request body as a string (do not parse first)
- Read the
x-obiex-signature header
- Compute HMAC SHA512 of the raw body using your Signature Secret
- Hex-encode the result
- Compare with the received signature
Example: Node.js (Express)
import crypto from 'crypto';
import express from 'express';
const app = express();
const signatureSecret = process.env.OBIEX_SIGNATURE_SECRET!;
app.post('/webhook', express.raw({ type: 'application/json' }), (req, res) => {
const receivedSignature = req.headers['x-obiex-signature'] as string;
const body = req.body.toString();
const computedSignature = crypto
.createHmac('sha512', signatureSecret)
.update(body)
.digest('hex');
if (computedSignature !== receivedSignature) {
return res.status(401).send('Invalid signature');
}
// Signature is valid - process webhook
const webhookEvent = JSON.parse(body);
console.log('Received webhook:', webhookEvent);
res.status(200).send('Received');
});
app.listen(3000, () => {
console.log('Listening for webhooks on port 3000');
});
Handling Webhook Events
Common webhook events include:
deposit.completed - Crypto deposit confirmedwithdrawal.completed - Crypto withdrawal processedwithdrawal.failed - Crypto withdrawal failedbank_transfer.completed - Fiat deposit/withdrawal completed
Always verify the signature before processing any webhook event to ensure it was sent by Obiex.
