# Consent Webhooks
source: https://developer.mastercard.com/open-finance-au/documentation/consent/consent-notifications/index.md

A data recipient can subscribe to receive consent notifications at a webhook URL. Consent notifications
are triggered by
[consent lifecycle](https://developer.mastercard.com/open-finance-au/documentation/consent/index.md) changes, such as:

* Consent is created.
* An institution arrangement is added to the overall consent.
* An institution arrangement is revoked.
* The overall consent with one or more institutions under it is revoked.
* The overall consent with one or more institutions under it is expired.

<br />

Some consent notifications require actions to be taken in regard to the collected data. Refer to [Processing Consent Notifications](https://developer.mastercard.com/open-finance-au/documentation/consent/processing-consent-notifications/index.md) to learn about what post-event actions are required.
Note: All Mastercard partners are required to subscribe for consent notifications as this is the only way to get CDR required notification about consent being expired or revoked. See [Notifications to CDR participants](https://www.oaic.gov.au/consumer-data-right/consumer-data-right-guidance-for-business/consumer-data-right-privacy-safeguard-guidelines/chapter-c-consent-the-basis-for-collecting-and-using-cdr-data#notification-requirements).

#### Subscribing to notifications {#subscribing-to-notifications}

To start receiving consent notifications, you will need to subscribe to them. If a subscription is successful, the API call will return the `subscriptionID` and `signingKey`. You can use `signingKey` to verify the validity of the received notifications (see [Prevent Spoofing](https://developer.mastercard.com/open-finance-au/documentation/consent/prevent-spoofing/index.md)).
Note: We highly recommend that you save both the `subscriptionID` and the `signingKey` received within the Create subscription API response. For security reasons, the `signingKey` cannot be fetched after subscribing. If you have lost your sandbox signing key, then a new key can be created by creating a new PartnerID and resubscribing. If you have lost your production key, contact your Mastercard representative for assistance.
API Reference: `POST /notifications/webhooks/subscriptions`

Tip: For testing purposes you can use commonly used online tools like webhook.site, requestbin.com, beeceptor.com, or other tools that will receive webhooks and post the content for you to review (note that this is not an official endorsement for any of these services). In production you **must** use your own secure webhook service.

To prevent consent notifications from being missed on the receiving side, ensure that incoming HTTPS messages from Mastercard are allowed.

If we get a 200 HTTP response from your webhook listener server, the webhook event is registered as a success. For any non-200 HTTP status code (failed event), we will resend the webhook.

Our retry logic does exponential retries for 24 hours. The exact instances of each retry are as follows: 6 s, 48 s, 5 min, 34 min, 3 hours 42 min, 24 hours.
Once the max retry window is reached, the notification retry will stop.

#### Get subscription {#get-subscription}

In order to check subscription details, Get Subscription and Get All Subscriptions APIs can be useful. These APIs return the details of either a particular subscription or of all subscriptions. For example:

* The current URL.
* When the subscription was created.
* When the subscription was last updated.

Note: For security reasons, these APIs do not return a `signingKey`.


API Reference: `GET /notifications/webhooks/subscriptions/{subscription_id}`


API Reference: `GET /notifications/webhooks/subscriptions`

<br />

#### Updating subscription {#updating-subscription}

With time there may arise a need to use a different webhook URL to receive notifications, for example, in case the previous URL was compromised or due to an environment upgrade.

API Reference: `PUT /notifications/webhooks/subscriptions/{subscription_id}/url`

Tip: If possible, we recommend that you keep the old URL environment functional for 24 hours after the updated subscription request as there may be notifications in the system waiting in the queue to be sent to the old URL.

#### Resources {#resources}

* Refer to the [Consent](https://developer.mastercard.com/open-finance-au/documentation/consent/index.md) page to learn more about the importance of consent and its lifecycle.
* Refer to [Processing Consent Notifications](https://developer.mastercard.com/open-finance-au/documentation/consent/processing-consent-notifications/index.md) to learn about the consent notification event types and understand what actions are required when the event is received.
* Refer to [Consent Notifications Structure](https://developer.mastercard.com/open-finance-au/documentation/consent/consent-notifications-structure/index.md) to learn about the consent notifications structure in detail.
* Refer to [Prevent Spoofing](https://developer.mastercard.com/open-finance-au/documentation/consent/prevent-spoofing/index.md) to validate the authenticity of the consent notification and prevent attacks.