Skip to main content
Webhooks are automated HTTP POST requests sent by Cadana when events occur on the platform. Use them to get real-time updates for transactions, payroll, KYC, and more.

Webhook Structure

Every webhook follows this envelope structure:
JSON

Getting Started

Configure Your Endpoint

  1. Navigate to SettingsDevelopersWebhooks in the Dashboard
  2. Click Add Webhook
  3. Enter the URL where you want to receive events
Platform integrators configure webhooks in the Platform Dashboard instead — the same SettingsDevelopersWebhooks path. A platform endpoint receives events for all businesses on the platform; use the tenantKey in each payload to tell them apart.

Handle Events

After registering an endpoint, Cadana sends an HTTP POST request to your URL every time a subscribed event occurs. Parse the eventType field to determine how to handle each event.

Respond Promptly

Your endpoint must return a 2xx status code to acknowledge receipt. Any response outside the 2xx range — including 3xx redirects — is treated as a failure and will trigger retries.
Respond with 200 OK immediately, then process the payload asynchronously via a message queue. This prevents timeouts.

Verifying Webhooks

Every webhook includes signature headers you should verify to confirm it was sent by Cadana.

Signature Headers

Verification

Use the Svix libraries to verify signatures automatically:
JavaScript
Your signing secret is available in SettingsDevelopersWebhooks in the Dashboard. For manual verification, see the Svix manual verification docs.

Retry Policy

If your endpoint fails to respond with a 2xx status code, Cadana retries delivery with exponential backoff: After all retries are exhausted (~3 days), the webhook is marked as failed.

Best Practices

  1. Respond immediately — Return 200 OK first, process asynchronously. Don’t do heavy work before responding.
  2. Deduplicate — Use the id field to detect and skip duplicate deliveries. Retried webhooks keep the same id.
  3. Fetch the latest state — Webhooks can arrive out of order. After receiving an event, fetch the resource via API (e.g., GET /v1/payouts/{id}) to get the latest state.
  4. Implement reconciliation — Webhook delivery is not guaranteed. Periodically poll the API to catch any missed events.
  5. Verify signatures — Always verify the svix-signature header before processing a webhook to prevent spoofing.