Webhooks
Webhooks let you receive real-timepayment.succeeded notifications whenever a buyer pays for any of your resources โ endpoints, products, components, or agent endpoints.
Plan Requirement: Webhooks are available on Pro and Business plans only. Free plan accounts receive a 403 response.
How It Works
Webhooks are account-level (seller-level), not per-resource. You register one webhook URL and it receives events for all resources you own.- ๐ฐ Payment Happens โ Buyer pays for any of your resources
- ๐ก Webhook Fires โ Signed POST request to your URL
- โ You Act โ Fulfill order, grant access, log it
Setup via Dashboard
- Go to Dashboard โ Webhooks
- Click Create Webhook
- Enter your HTTPS endpoint URL
- A signing secret is generated automatically โ copy and store it securely
Event: payment.succeeded
Every webhook delivery is a POST request with this JSON body:
| Field | Description |
|---|---|
source | Resource type: endpoint, product |
source_slug | The slug of the resource that was paid for |
amount / currency | Payment amount and asset (e.g. USDC) |
tx_hash | On-chain transaction hash |
network | base or solana |
Verifying Signatures
Studio seller webhooks are HMAC-signed. Current deliveries include:X-X402-Signatureโ HMAC-SHA256 hex digestX-X402-Timestampโ Unix timestamp for the deliveryX-X402-Eventโ event type for routing/loggingX-X402-Event-Idโ stable event id for idempotency/replay protection
- payload:
timestamp.rawBody - algorithm:
HMAC-SHA256 - secret: webhook
signing_secret
Node.js
Python
Backward Compatibility
Some older receivers still accept raw-secret headers like:x-x402layer-secretx-x402-secretAuthorization: Bearer <secret>
Two Secret Hops
1) Studio โ your webhook receiver
- secret: webhook
signing_secret - auth model: HMAC verification using the signed headers above
2) Your receiver โ your app settlement route
- secret: your own app-internal shared secret
- example: a worker sends
x-x402-secretand the app verifies it withX402_WEBHOOK_SECRET
Coverage Matrix
| Source | Route | Status |
|---|---|---|
| Endpoint payments | /e/:slug | โ Live |
| Product payments | /p/:slug | โ Live |
| Components (via endpoints) | โ | โ Live |
| Agent endpoint create | /agent/endpoints | โ Live |
| Agent endpoint top-up | /agent/endpoints | โ Live |
Best Practices
- ๐ Always verify signed headers first โ Never trust unverified payloads.
- โก Respond quickly (< 5s) โ Process asynchronously and return
200immediately. Queue heavy work. - ๐ Handle duplicates โ Use the event
idfor idempotency. - ๐ Rotate secrets carefully โ If deliveries suddenly start returning
401, first check whether the webhook signing secret rotated or drifted. Update the receiver before discarding the old value. - ๐งพ Log headers, not secrets โ Log signature/timestamp/event/event-id presence for debugging, but never log the secret itself.
- ๐ ๏ธ Know the common failure mode โ If Studio deliveries
401but a manual POST with the stored secret works, the receiver likely only supports legacy raw-secret auth while Studio is sending signed webhooks.
Webhook API Reference
| Method | Endpoint | Description |
|---|---|---|
GET | /api/webhooks | List your webhooks |
POST | /api/webhooks | Create a new webhook |
PATCH | /api/webhooks/:id | Toggle active / rotate secret |
DELETE | /api/webhooks/:id | Delete a webhook |
