Skip to main content
Blockra sends a POST request to your registered HTTPS endpoint whenever a notable event occurs on a payment or payout. React to confirmations, expirations, and payouts in real time without polling the API. Every delivery is signed so you can verify it genuinely came from Blockra.

Setting up a webhook endpoint

1

Expose an HTTPS endpoint

Create a route on your server that accepts POST requests with a JSON body, reachable over HTTPS, that returns a 2xx response quickly.
2

Register the endpoint

In the Blockra dashboard, go to Developers → Webhooks (or call POST /webhooks) and add your endpoint URL plus the events to subscribe to. Blockra returns a signing secret (prefixed whsec_) once, on creation — copy it and store it securely. You need it to verify signatures.
3

Verify and handle events

Verify the X-Blockra-Signature header on each delivery before trusting the payload (see below), then return 2xx.

Events

Subscribe to any of these when you register an endpoint. Each delivery also carries the event name in an X-Blockra-Event header.
EventWhen it fires
payment.createdA payment was created
payment.confirmingFunds were seen on-chain; waiting for the required confirmations
payment.completedPayment confirmed; your balance was credited
payment.expiredThe 30-minute quote expired before funds arrived
payout.completedA withdrawal was confirmed on-chain
payment.refundedReserved — not currently emitted

Payload structure

Every delivery uses the same envelope: the event type, a created Unix timestamp (seconds), and a data.object holding the resource — a payment, or a withdrawal for payout.completed.
payment.completed
data.object is the same shape returned by GET /payments/{id} (or the withdrawal object for payout.completed), including integer *_atoms amount fields for exactness.

Verifying signatures

Every delivery includes an X-Blockra-Signature header of the form:
  • t — the Unix timestamp (seconds) when the delivery was signed.
  • v1 — the hex HMAC-SHA256, keyed with your endpoint’s signing secret, over the timestamp t, a literal ., and the raw request body (that is, t + "." + body).
Recompute v1 and compare it in constant time. Optionally reject deliveries whose t is more than a few minutes old to guard against replay.
Sign over the raw request body, before any JSON parsing or re-serialisation. Reformatting the body changes the bytes and invalidates the signature.

Responding to deliveries

Return a 2xx status code quickly — within a few seconds — then do any slow work asynchronously. A non-2xx response or a timeout is retried up to 6 times with backoff: 1 minute, 5 minutes, 30 minutes, 2 hours, then 6 hours. After the final attempt the delivery is marked failed.
Make your handler idempotent — key off the event type plus data.object.id. Blockra may deliver the same event more than once.