# Mastercard Data Connect Webhooks source: https://developer.mastercard.com/open-finance-us/documentation/webhooks/webhooks-connect/index.md Webhook events are sent during a Mastercard Data Connect session as the customer interacts with the application. You can track progress through a session, get information about customer usage, and receive notifications when certain processes are complete. You will need to define a public RESTful web service that is accessible from the Mastercard platform. Tip: For testing purposes, you can use tools like webhook.site or beeceptor.com that receive webhooks and post the content for you to review (note that this is not an official endorsement of any of these services). In production, you **must** use your own secure webhook service. When you call an API to [generate a Data Connect url](https://developer.mastercard.com/open-finance-us/documentation/connect/generate-2-connect-url-apis/index.md), pass the URL of your listener in the `webhook` parameter of your request. Event messages will be sent from Mastercard Data Connect to your listener. For details of the events for Data Connect, see [Data Connect Events](https://developer.mastercard.com/open-finance-us/documentation/webhooks/webhooks-connect/webhooks-events-connect/index.md). For details of the events after generating a [Lend report](https://developer.mastercard.com/open-finance-us/documentation/products/lend/reports/index.md) through Data Connect, see [Report Events (Data Connect)](https://developer.mastercard.com/open-finance-us/documentation/webhooks/webhooks-report/report-webhooks-dc/index.md) Warning: The webhook system described on this page does not support [Mastercard Data Connect Components](https://developer.mastercard.com/open-finance-us/documentation/connect/components/index.md). Components webhooks will be available through the upcoming [OBWMS](https://developer.mastercard.com/open-finance-us/documentation/webhooks/obwms/index.md). Currently, you can get Components event notifications through the [Data Connect Components Web SDK](https://developer.mastercard.com/open-finance-us/documentation/connect/components/integration/ccwebsdk/index.md). ### Event Body {#event-body} All events include a wrapper that contains metadata. The event data is within the `payload` key. If you specified custom events via the `webhookData` parameter when [generating a Data Connect url](https://developer.mastercard.com/open-finance-us/documentation/connect/generate-2-connect-url-apis/index.md), you will receive the [custom event data](https://developer.mastercard.com/open-finance-us/documentation/webhooks/webhooks-connect/webhooks-custom/index.md) back in the `webhookData` key. The following example shows the format of the event. * JSON ```JSON { "customerId":"12345678", "consumerId":"ed81281fcec7ec557aa7d292a3188b75", "eventType":"started", "eventId":"1495468585434-0e73d1719173766fe4dfe1a8", "payload":{ "event data will be here" }, "webhookData": { "custom event data will be here" } } ``` ### Prevent Spoofing {#prevent-spoofing} If you're using webhooks for sensitive or critical information, we recommend that you verify the signature of the webhook. ### Tips for Best Practice: {#tips-for-best-practice} 1. Create a SHA-256 HMAC of the request body using your Partner Secret as the key. 2. Compare it to the signature included on the X-Finicity-Signature header. If the two are equal then the request is valid, otherwise, it is spoofed. 3. Store the `eventId` and ignore webhooks with an ID that have already been processed to prevent replay attacks. The X-Finicity-Signature header gets added to every event sent. Here is an example of signature verification in NodeJS: ```javascript const crypto = require('crypto'); const partnerSecret = '{{PARTNER_SECRET}}'; router.use('/webhook-handler', (request, res) => { const body = request.body; const signature = crypto .createHmac('sha256', partnerSecret) .update(JSON.stringify(body)) .digest('hex'); if (request.get('x-finicity-signature') !== signature) { throw new Error('Spoofing detected, rejecting webhook'); } }); ``` Tip: If we get a 200 HTTP response from your webhook listener server, the webhook event is registered as a success. For any non-200 HTTP status code (failed event), we will resend the webhook. Our retry logic will function for 3 days with an exponential back-off, meaning we will try multiple times within the first few minutes followed by a retry every hour for 72 hours. The exact instances of each retry within the first few minutes are as follows: 12ms, 72ms, 432ms, 2592ms, 15552ms, 93312ms.