POST request to your registered HTTPS endpoint whenever a notable event occurs on a payment or payout. React to confirmations, expirations, and payouts in real time without polling the API. Every delivery is signed so you can verify it genuinely came from Blockra.
Setting up a webhook endpoint
Expose an HTTPS endpoint
Create a route on your server that accepts
POST requests with a JSON body, reachable over HTTPS, that returns a 2xx response quickly.Register the endpoint
In the Blockra dashboard, go to Developers → Webhooks (or call
POST /webhooks) and add your endpoint URL plus the events to subscribe to. Blockra returns a signing secret (prefixed whsec_) once, on creation — copy it and store it securely. You need it to verify signatures.Events
Subscribe to any of these when you register an endpoint. Each delivery also carries the event name in anX-Blockra-Event header.
| Event | When it fires |
|---|---|
payment.created | A payment was created |
payment.confirming | Funds were seen on-chain; waiting for the required confirmations |
payment.completed | Payment confirmed; your balance was credited |
payment.expired | The 30-minute quote expired before funds arrived |
payout.completed | A withdrawal was confirmed on-chain |
payment.refunded | Reserved — not currently emitted |
Payload structure
Every delivery uses the same envelope: the eventtype, a created Unix timestamp (seconds), and a data.object holding the resource — a payment, or a withdrawal for payout.completed.
payment.completed
data.object is the same shape returned by GET /payments/{id} (or the withdrawal object for payout.completed), including integer *_atoms amount fields for exactness.Verifying signatures
Every delivery includes anX-Blockra-Signature header of the form:
t— the Unix timestamp (seconds) when the delivery was signed.v1— the hex HMAC-SHA256, keyed with your endpoint’s signing secret, over the timestampt, a literal., and the raw request body (that is,t+"."+ body).
v1 and compare it in constant time. Optionally reject deliveries whose t is more than a few minutes old to guard against replay.
Responding to deliveries
Return a2xx status code quickly — within a few seconds — then do any slow work asynchronously. A non-2xx response or a timeout is retried up to 6 times with backoff: 1 minute, 5 minutes, 30 minutes, 2 hours, then 6 hours. After the final attempt the delivery is marked failed.

