Webhooks best practices

Implement these best practices when using webhooks.

When using webhooks it is important to implement good practices to ensure your webhooks are secured and that your integration with Fintoc works as expected.

Types of Events

Your webhook should be configured so that it only listens to the events required for your application to work properly. We advise you to ignore unnecessary events, as they will only add extra load to your server.

Avoid Event duplication

For a plethora of reasons, it is possible that Fintoc sends the same event more than once to your application. That's why it is important that your webhook endpoint ensures idempotency when receiving events. A way of achieving this could be by storing the id of each event after being processed and then discarding events that already have been processed.


Keeping your endpoints secure is critical to protecting your customers’ information. Fintoc provides several ways for you to verify events are coming from Fintoc in a secure manner.

Receive events with an HTTPS server

Fintoc requires that the URL of your webhook endpoint is secured by a certificate that allows it to receive HTTPS requests. Fintoc won't send events to your server if it is not secured.

Verify events are sent from Fintoc

Verify webhook signatures to confirm that received events are sent from Fintoc. Additionally, make sure these events originate from one of the following IP addresses: