1. Webhooks
Cresium
  • Cresium - V3 Partners
    • API
      • Auth Information for V3 API Partners
      • V3 - Health
        • Health check
      • V3 - Transaction
        • Get Transaction data
        • Search transactions
        • Make a transfer
        • Confirm a transaction
        • Reverse a deposit transaction
        • Get transaction receipt
      • V3 - BankAddress
        • Get Address
      • V3 - CompanyFeature
        • Get Company Features
        • Update Feature Enabled State
      • V3 - Rate
        • Get TNA rate
      • V3 - DepositAddress
        • Update Deposit Address
        • Create Deposit Address
      • V3 - Invoice
        • Create Invoices
        • Read Invoices
      • V3 - Partner
        • Search partner transactions
      • V3 - User Address
        • Create or get User Address
      • V3 - Auth
        • V3 - Balance
          • Get all wallets for Company
        • Generate change password ID for partner user
      • V3 - CompanyTax
        • Upsert Company Tax
      • V3 - Signature Request
        • Create Signature Request
        • Update Signature Request
      • V3 - Payment
        • Create Payments
        • Read Payments
      • Webhooks
        • Auth Information for Webhooks
        • Transactions Events Examples - DEPOSIT
  1. Webhooks

Auth Information for Webhooks

Partner Webhooks#

All webhook events sent by this API are secured with Partner-level authentication.
Partners are responsible for verifying the authenticity of every webhook by validating the signature.

Webhook Event Structure#

Each webhook request has the following JSON structure:
{
  "type": "DEPOSIT", 
  "data": { ... }, 
  "retry": 1
}
type
The type of webhook event.
Currently, only DEPOSIT events are supported.
data
The event payload.
(You will receive detailed specifications of this object separately.)
retry
Indicates the current retry attempt (from 1 to 5).
If the Partner’s server fails to respond with a successful 2xx HTTP code, the webhook will be retried up to 5 times.

Required Headers#

Each webhook request includes the following headers:
x-api-key
Partner API Key (used to identify the Partner).
x-company-id
The ID of the company associated with the event.
x-timestamp
The timestamp in Unix epoch milliseconds when the webhook was sent.
Partners should reject requests older than 5 minutes to avoid replay attacks.
x-signature
HMAC-SHA256 signature generated with the Partner’s secret and Base64-encoded.

Signature Construction#

The signature is constructed in the same way as API requests.
Concatenate the following values, separated by |:
{timestamp}|{HTTP_METHOD}|{PATH}|{BODY}
Where:
timestamp: The value from x-timestamp.
HTTP_METHOD: Always POST for webhooks.
PATH: The full path of the webhook endpoint provided by the Partner (including any query parameters).
BODY: JSON-encoded webhook payload (the full request body).
Example string to sign:
1726744512000|POST|/webhooks/partner?token=xyz|{"type":"deposit","data":{...},"retry":1}

Example Verification (Node.js)#

The Partner must validate that the generated signature matches the x-signature header sent by the server.
If the signature is invalid, the webhook should be discarded.

Retry Policy#

Webhooks are retried up to 5 times if the Partner’s endpoint does not return a 2xx response.
The retry field in the payload indicates the current attempt number (1–5).
After 5 failed attempts, the webhook will be dropped and no further retries will be performed.
Modified at 2025-09-23 14:48:55
Previous
Read Payments
Next
Transactions Events Examples - DEPOSIT
Built with