# Event notifications (Webhooks) source: https://developer.mastercard.com/ob-accept-payments/documentation/developer-support/event-notifications/index.md Webhooks are notifications about particular events sent from the server to the clients. In technical terms, a webhook is a web request that the server sends when specific events happen to a web address belonging to the client. The request is comprised of a JSON body that includes information with more details about the event. We use the term "notification" and "webhook" interchangeably in our documentation. #### Create a webhook endpoint {#create-a-webhook-endpoint} The first step is to create an endpoint on the client's web service that: * Can receive a POST request with a JSON body * Can acknowledge the call by returning a 200 status code * Is public so that it can be called from our servers These will allow the client's web service to receive webhooks with a payload allowing the client to act on notifications. #### Acknowledgment of notification {#acknowledgment-of-notification} To acknowledge that a notification has been received, a 200 HTTP status code must be returned within a timeout. All other response codes indicate that the webhook has not been received successfully. It is important to acknowledge the notification as soon as possible so that we know that it has been received. Otherwise, we will retry the notification attempt 10 times with an exponential backoff strategy. We encourage returning a 200 HTTP status as soon as possible before executing any complex logic to avoid possible timeouts. #### Register webhook URL {#register-webhook-url} Webhook URLs are configured during client onboarding. Ensure that the webhook endpoint is configured to use HTTPS with a valid certificate. During webhook configuration, a secret is used to validate that the notification originates from Mastercard Open Finance Pay. Read more in the section below. #### Delivery headers {#delivery-headers} A request to your configured webhook URL has several special headers: | **Header** | **Description** | |---------------------|------------------------------------------------------------| | `X-Correlation-Id` | A unique identifier value that is attached to the request. | | `X-Mcobs-Event` | The type of event that triggered the delivery. | | `X-Mcobs-Signature` | HMAC-SHA256 of body. See below for more information. | #### Security {#security} Mastercard adds an X-Mcobs-Signature header that allows the client to verify that a webhook is sent by us. Here is a C# example of how to generate such a signature: ```c# string Generate(string payload, string secret) { var encoding = new UTF8Encoding(); var textBytes = encoding.GetBytes(payload); var keyBytes = encoding.GetBytes(secret); byte[] hashBytes; using (var hash = new HMACSHA256(keyBytes)) { hashBytes = hash.ComputeHash(textBytes); } return BitConverter.ToString(hashBytes).Replace("-", "").ToLower(); } ``` The body needs to be read as a string. Deserialization might interfere with the order of keys, making the signature incorrect. Once you have generated a signature from the webhook request, you should compare its value against the X-Mcobs-Signature header's value. If they match, the webhook was generated by Mastercard Open Finance Pay and can be considered safe. Refer to [Payloads](https://developer.mastercard.com/ob-accept-payments/documentation/developer-support/event-notifications/payloads/index.md) for details on the webhooks format.