Skip to main content
Webhooks let Yativo push event data to your server the moment something happens, instead of you polling the API. When an event fires, Yativo sends an HTTP POST to your configured endpoint with a signed JSON payload.

Create a Webhook

POST /webhook/create
url
string
required
The HTTPS URL Yativo will POST events to.
events
array
required
Array of event types to subscribe to. Use ["*"] to subscribe to all events.
description
string
Optional human-readable description.
cURL
curl -X POST https://crypto-api.yativo.com/api/webhook/create \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-server.com/webhooks/yativo",
    "events": ["deposit.confirmed", "withdrawal.completed", "transaction.failed"],
    "description": "Production webhook"
  }'
Response
{
  "id": "wh_01abc123",
  "url": "https://your-server.com/webhooks/yativo",
  "events": ["deposit.confirmed", "withdrawal.completed", "transaction.failed"],
  "secret": "whsec_abc123xyz...",
  "status": "active",
  "created_at": "2026-03-26T10:00:00Z"
}
Store the secret immediately. You’ll use it to verify webhook signatures. It cannot be retrieved later.

List Webhooks

GET /webhook/list
cURL
curl -X GET https://crypto-api.yativo.com/api/webhook/list \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Get a Webhook

GET /webhook/{id}
cURL
curl -X GET https://crypto-api.yativo.com/api/webhook/wh_01abc123 \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Update a Webhook

PUT /webhook/{id} Update the URL, events, or description. Any field omitted retains its current value.
cURL
curl -X PUT https://crypto-api.yativo.com/api/webhook/wh_01abc123 \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "events": ["*"],
    "description": "Updated to all events"
  }'

Delete a Webhook

DELETE /webhook/{id}
cURL
curl -X DELETE https://crypto-api.yativo.com/api/webhook/wh_01abc123 \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Activate / Deactivate

Temporarily pause a webhook without deleting it. POST /webhook/{id}/activate POST /webhook/{id}/deactivate
cURL
curl -X POST https://crypto-api.yativo.com/api/webhook/wh_01abc123/deactivate \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

View Webhook Events

GET /webhook/{id}/events Returns a paginated log of all events delivered to this webhook, including status and response codes.
cURL
curl -X GET https://crypto-api.yativo.com/api/webhook/wh_01abc123/events \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Retry a Failed Event

POST /webhook/events/{id}/retry Re-delivers a specific event that previously failed or was not acknowledged.
cURL
curl -X POST https://crypto-api.yativo.com/api/webhook/events/evt_01def456/retry \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Test a Webhook

POST /webhook/{id}/test Sends a test payload to your endpoint so you can verify your handler is working.
cURL
curl -X POST https://crypto-api.yativo.com/api/webhook/wh_01abc123/test \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Signature Verification

Every webhook request includes an X-Webhook-Signature header. This is an HMAC-SHA256 signature of the raw request body, computed using your webhook secret. Always verify the signature before processing webhook events. This confirms the request came from Yativo and was not tampered with. 
import crypto from 'crypto';
import { Request, Response } from 'express';

const WEBHOOK_SECRET = process.env.YATIVO_WEBHOOK_SECRET!;

export function verifyWebhook(req: Request, res: Response, next: Function) {
  const signature = req.headers['x-webhook-signature'] as string;
  const rawBody = (req as any).rawBody as Buffer; // ensure body parser preserves raw bytes

  if (!signature || !rawBody) {
    return res.status(400).json({ error: 'Missing signature or body' });
  }

  const expected = crypto
    .createHmac('sha256', WEBHOOK_SECRET)
    .update(rawBody)
    .digest('hex');

  const isValid = crypto.timingSafeEqual(
    Buffer.from(signature, 'hex'),
    Buffer.from(expected, 'hex')
  );

  if (!isValid) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  next();
}

Webhook Payload Structure

All webhook payloads share the same envelope: 
{
  "id": "evt_01abc123",
  "type": "deposit.confirmed",
  "created_at": "2026-03-26T10:05:00Z",
  "data": {
    // event-specific fields
  }
}

Best Practices

Your endpoint should return a 200 status within a few seconds. Do your heavy processing in the background. If Yativo does not receive a 2xx response, it will retry the event with exponential backoff.
Webhooks can be delivered more than once (e.g., after retries). Use the id field to deduplicate events in your database before processing.
Yativo only delivers webhooks to HTTPS endpoints. HTTP endpoints will be rejected at configuration time.
Check /webhook/{id}/events regularly to spot delivery failures before they become business problems.