Skip to main content
GET
/
webhooks
Get Webhook Configuration
curl --request GET \
  --url https://api.fyatu.com/api/v3.20/webhooks \
  --header 'Authorization: Bearer <token>'
{}

Documentation Index

Fetch the complete documentation index at: https://docs.fyatu.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Returns your current webhook configuration. One webhook URL receives all card and cardholder events for your account.

Response Fields

FieldTypeDescription
webhookUrlstring | nullYour configured webhook endpoint
isConfiguredbooleantrue if a webhook URL is set
hasWebhookSecretbooleantrue if a signing secret is configured
createdAtstringWhen webhook was first configured
updatedAtstringWhen webhook was last updated
The webhookSecret value itself is never returned after initial generation. If you’ve lost it, use POST /webhooks/secret/regenerate to issue a new one (this invalidates the previous secret).

Webhook Signature Verification

Every webhook payload is signed with your webhookSecret using HMAC-SHA256. Verify the signature before processing any webhook: 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(JSON.stringify(payload))
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expected, 'hex')
  );
}

// In your webhook handler:
app.post('/webhooks/fyatu', (req, res) => {
  const signature = req.headers['x-fyatu-signature'];
  const isValid = verifyWebhook(req.body, signature, process.env.WEBHOOK_SECRET);

  if (!isValid) {
    return res.status(401).send('Invalid signature');
  }

  // Process webhook...
  res.status(200).send('OK');
});

Authorizations

Authorization
string
header
required

JWT access token obtained from POST /auth/token

Response

200 - application/json

Webhook retrieved

The response is of type object.