Bridge webhooks allow you to receive real-time notifications when events occur in your Bridge account. This guide covers creating, implementing, testing, and enabling webhooks using Bridge’s REST API.

Prerequisites

  • A Bridge account with API access
  • Bridge API credentials (API key)
  • HTTPS endpoint with valid X.509 certificate
  • Development environment with your preferred language (Ruby, Node.js, Python, or Go)

Step 1: Create a New Webhook

First, create a webhook endpoint using the Bridge API. The webhook will be created in disabled state initially.
Request
curl --request POST \
  --url https://api.bridge.xyz/v0/webhooks \
  --header 'Api-Key: <api-key>' \
  --header 'Content-Type: application/json' \
  --header 'Idempotency-Key: <idempotency-key>' \
  --data '{
    "url": "<your_webhook_url>",
    "event_epoch": "webhook_creation",
    "event_categories": [
      "customer",
	  "kyc_link",
      "transfer"
    ]
}'
Response
{
  "id": "webhook_abc123",
  "status": "disabled",
  "url": "https://your-domain.com/webhooks/bridge",
  "events": ["customer", "kyc_link", "transfer"],
  "created_at": "2024-01-15T10:30:00Z"
}
Save the webhook_id from the response - you’ll need it for testing and enabling the webhook.

Step 2: Implement the Webhook Handler

Create an endpoint that can receive and process Bridge webhook events with proper timestamp validation, refer Webhook Event Signature Verification. Bridge webhook signatures use the format: X-Webhook-Signature: t=<timestamp>,v0=<base64-encoded-signature> 
from flask import Flask, request, jsonify
from typing import Dict, Any, Optional, Union
import json
import base64
import time
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.exceptions import InvalidSignature

app = Flask(__name__)

class WebhookEvent:
    def __init__(self, data: Dict[str, Any]):
        self.api_version: str = data['api_version']
        self.event_id: str = data['event_id']
        self.event_category: str = data['event_category']
        self.event_type: str = data['event_type']
        self.event_object: Dict[str, Any] = data['event_object']
        self.event_object_changes: Optional[Dict[str, Any]] = data.get('event_object_changes')
        self.event_created_at: str = data['event_created_at']

class SignatureVerificationResult:
    def __init__(self, is_valid: bool, error: Optional[str] = None):
        self.is_valid = is_valid
        self.error = error

WEBHOOK_PUBLIC_KEY = """-----BEGIN PUBLIC KEY-----
your_webhook_public_key_here
-----END PUBLIC KEY-----"""

def verify_webhook_signature(payload: bytes, signature_header: str, public_key_pem: str) -> SignatureVerificationResult:
    try:
        # Parse signature header
        signature_parts = signature_header.split(',')
        timestamp = next((part.split('=', 1)[1] for part in signature_parts if part.startswith('t=')), None)
        signature = next((part.split('=', 1)[1] for part in signature_parts if part.startswith('v0=')), None)
        
        if not timestamp or not signature:
            return SignatureVerificationResult(False, 'Missing timestamp or signature')
        
        # Check timestamp (reject events older than 10 minutes)
        current_time = int(time.time() * 1000)
        if current_time - int(timestamp) > 600000:
            return SignatureVerificationResult(False, 'Timestamp too old')
        
        # Create signed payload
        signed_payload = f"{timestamp}.{payload.decode()}"
        
        # Verify signature
        public_key = serialization.load_pem_public_key(public_key_pem.encode())
        signature_bytes = base64.b64decode(signature)
        
        public_key.verify(
            signature_bytes,
            signed_payload.encode(),
            padding.PKCS1v15(),
            hashes.SHA256()
        )
        return SignatureVerificationResult(True)
    except InvalidSignature:
        return SignatureVerificationResult(False, 'Invalid signature')
    except Exception as e:
        return SignatureVerificationResult(False, f'Signature verification failed: {e}')

def handle_webhook_event(event: WebhookEvent) -> None:
    if event.event_type == 'customer.created':
        print(f"New customer created: {event.event_object.get('id')}")
    elif event.event_type == 'customer.updated':
        print(f"Customer updated: {event.event_object.get('id')}")
    elif event.event_type == 'transfer.created':
        print(f"Transfer created: {event.event_object.get('id')}")
    else:
        print(f"Unhandled event type: {event.event_type}")

@app.route('/webhooks/bridge', methods=['POST'])
def handle_webhook():
    payload = request.get_data()
    signature_header = request.headers.get('X-Webhook-Signature')
    
    if not signature_header:
        return jsonify({'error': 'Missing signature header'}), 400
    
    verification = verify_webhook_signature(payload, signature_header, WEBHOOK_PUBLIC_KEY)
    
    if not verification.is_valid:
        print(f"Signature verification failed: {verification.error}")
        return jsonify({'error': 'Invalid signature'}), 400
    
    try:
        event_data = json.loads(payload)
        event = WebhookEvent(event_data)
        handle_webhook_event(event)
        return jsonify({'received': True})
    except Exception as e:
        print(f"Failed to parse webhook event: {e}")
        return jsonify({'error': 'Invalid JSON'}), 400

if __name__ == '__main__':
    app.run(port=3000, debug=True)

Step 3: Test the Webhook

Before enabling your webhook, test it to ensure it’s working correctly.

Send a Test Event

# Send a test event to your webhook
curl --request POST \
  --url https://api.bridge.xyz/v0/webhooks/{webhookID}/send \
  --header 'Api-Key: <api-key>' \
  --header 'Content-Type: application/json' \
  --header 'Idempotency-Key: <idempotency-key>' \
  --data '{
  	"event_id": "<string>"
}'

Check Webhook Logs

# View webhook delivery logs
curl --request GET \
  --url https://api.bridge.xyz/v0/webhooks/{webhookID}/logs \
  --header 'Api-Key: <api-key>'

List upcoming webhook events

# Retrieve upcoming events for the webhook
curl --request GET \
  --url https://api.bridge.xyz/v0/webhooks/{webhookID}/events \
  --header 'Api-Key: <api-key>'

Step 4: Enable the Webhook

Once you’ve tested your webhook and confirmed it’s working, enable it to start receiving live events.
Request
curl --request PUT \
  --url https://api.bridge.xyz/v0/webhooks/{webhookID} \
  --header 'Api-Key: <api-key>' \
  --header 'Content-Type: application/json' \
  --data '{
  	"url": "https://your-domain.com/webhooks/bridge",
  	"status": "active",
  	"event_categories": [
   	 "customer"
  	]
}'
Response
{
  "id": "wep_123",
  "url": "https://your-domain.com/webhooks/bridge",
  "status": "active",
  "public_key": "-----BEGIN PUBLIC KEY-----\\nFJJ3hFnaPLmxxG4a5w0BAQEFAAOCAQ8AMIIBCgKCAQEAtYhc6PV2LOs/nqDRHi0B\\nMKTsdMLHtg58a1NDxaYfw4IZJ3hpy1qIFUgt5X0HhCYZE0Y40MyLGIejPyitEjYw\\ni9/aE+9F/PN+btqN7OK6cVuF9s/R9cZCtNc27UdTQXrUO5T8GXNAMmRr0KFh8yPv\\nfIgpoZn5ZhnyRbZpDvrxHzLmcZJFAX8Ca+KZLzgGVybEqJtP6fKAT0zrrUS1z44s\\nRDOLiXl543cRAmBnUyrT6cXiNz/PNbm4zRK5Nx7LGxBFrCWQCao4Yi8hrwWsnHxg\\n0Tcy3UyZhAcgL6ydVJfLD5x58Ri4BN32WPBtgSSO6JxZZwCiX0d1BOgq7+eNgmzN\\nJQIDAQAB\\n-----END PUBLIC KEY-----\\n",
  "event_categories": [
    "customer",
    "liquidation_address",
    "virtual_account",
    "virtual_account.activity",
    "card_account",
    "card_transaction",
    "card_withdrawal",
    "posted_card_account_transaction"
  ]
}
Your webhook is now active and will receive live events from Bridge!

Security Best Practices

  1. Always verify webhook signatures to ensure events are from Bridge
  2. Use HTTPS endpoints with valid certificates
  3. Store webhook secrets securely (use environment variables)
  4. Return 200 status quickly to avoid timeouts
  5. Implement idempotency to handle duplicate events
  6. Log webhook events for debugging and monitoring

Common Event Types

  • customer.created - New customer registration
  • customer.updated - Customer information changes
  • payment.succeeded - Successful payment processing
  • payment.failed - Failed payment attempt
  • subscription.created - New subscription
  • subscription.cancelled - Subscription cancellation

Troubleshooting

  • Check webhook logs for delivery status and error messages
  • Verify your endpoint URL is accessible and returns 200
  • Ensure signature verification is implemented correctly
  • Check for certificate issues on your HTTPS endpoint
  • Monitor response times to avoid timeout issues

Next Steps

  • Review the Webhooks documentation for more details
  • Implement proper error handling and retry logic
  • Set up monitoring and alerting for webhook failures
  • Consider implementing webhook replay functionality for critical events
This completes your webhook integration with Bridge. Your application will now receive real-time notifications for customer events and can respond accordingly.