> ## Documentation Index
> Fetch the complete documentation index at: https://www.marqeta.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhooks

> Use webhooks to send notifications about API events as they occur.

export const EndpointCard = ({method = "API", title, children, href, arrow = true}) => {
  const METHOD_STYLES = {
    GET: {
      bg: "mint-bg-green-400/20 dark:mint-bg-green-400/20",
      text: "mint-text-green-700 dark:mint-text-green-400",
      border: "mint-border-green-300 dark:mint-border-green-700"
    },
    POST: {
      bg: "mint-bg-blue-400/20 dark:mint-bg-blue-400/20",
      text: "mint-text-blue-700 dark:mint-text-blue-400"
    },
    PUT: {
      bg: "mint-bg-yellow-400/20 dark:mint-bg-yellow-400/20",
      text: "mint-text-yellow-700 dark:mint-text-yellow-400"
    },
    PATCH: {
      bg: "mint-bg-orange-400/20 dark:mint-bg-orange-400/20",
      text: "mint-text-orange-700 dark:mint-text-orange-400"
    },
    DELETE: {
      bg: "mint-bg-red-400/20 dark:mint-bg-red-400/20",
      text: "mint-text-red-700 dark:mint-text-red-400"
    },
    API: {
      bg: "mint-bg-black",
      text: "mint-text-white"
    }
  };
  const MethodBadge = ({method}) => {
    const style = METHOD_STYLES[method?.toUpperCase()] ?? METHOD_STYLES.GET;
    return <span className={`
          method-pill rounded-lg font-semibold px-1.5 py-0.5 text-xs leading-5 ${style.bg} ${style.text}`}>
        {method?.toUpperCase()}
      </span>;
  };
  const content = <div className="group flex items-center gap-4 border border-gray-200 dark:border-gray-700 rounded-xl p-5 hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md transition-all cursor-pointer">
      {}
      <div className="shrink-0">
        <MethodBadge method={method} />
      </div>
      {}
      <div className="flex-1 min-w-0">
        <p className="font-semibold text-gray-900 dark:text-white text-sm leading-snug">{title}</p>
        {children && <p className="mt-1 text-sm text-gray-500 dark:text-gray-400 line-clamp-2">{children}</p>}
      </div>
    </div>;
  if (!href) return content;
  return <a href={href} className="block no-underline border-b-0 mb-2">
      {content}
    </a>;
};

Webhooks are notifications about API events, sent as they occur. The Marqeta platform sends these notifications to an endpoint that is hosted in your environment and configured to receive and process them.

Create a webhook object to represent your webhook endpoint. Configure it with the URL of your webhook endpoint and a set of credentials for accessing that endpoint. You can configure it to send notifications for a single event, a group of events by type, or all event types. To set up multiple webhook endpoints and route different types of event notifications to each, create multiple webhook objects and configure each to send a specific type of event notification to a specific endpoint.

See [About Webhooks](/developer-guides/about-webhooks/) for information on notifications and a tutorial that walks you through the configuration of your webhook endpoint.

See [Event Types](/core-api/event-types/) for reference documentation on the types of events that the Marqeta platform supports.

<Note>
  **Note**\
  Webhooks URLs are cached. Changes made on your webhook endpoint can take up to one hour to be applied.
</Note>

<h2 id="post_webhooks">
  Create webhook
</h2>

**Action:** `POST`\
**Endpoint:** `/webhooks`

{/* <EndpointCard
title="Create webhook"
path="/webhooks"
method="post"
/> */}

Creates a webhook.

<Note>
  **Note**\
  As shown in the example, `config.secret`, `config.basic_auth_username`, and `config.basic_auth_password` are masked in responses to this and all other requests. To access these values later, store them securely before making the request.
</Note>

<h3 id="_request_body">
  Request body
</h3>

| Fields                                                                 | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Optional                          | Indicates whether the webhook is active.<br /><br />**Allowable Values:**<br /><br />`true`, `false`<br /><br />**Default value:**<br />`true`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| config<br /><br />object<br /><br />Required                           | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| config.**basic\_auth\_password**<br /><br />string<br /><br />Required | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />20–50 chars<br /><br />- Must contain at least one numeral<br />- Must contain at least one lowercase letter<br />- Must contain at least one uppercase letter<br />- Must contain at least one of these symbols:<br />`@``#``$``%``!``^``&``\*``(``)`<br />`\\``_``+``~``-``=``[``]``\{``}`<br />`,``;``:``'``"``.``/``<``>``?`<code>\`</code>                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| config.**basic\_auth\_username**<br /><br />string<br /><br />Required | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–50 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| config.**custom\_header**<br /><br />object<br /><br />Optional        | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| config.**secret**<br /><br />string<br /><br />Optional                | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />20–50 chars<br /><br />- Must contain at least one numeral<br />- Must contain at least one lowercase letter<br />- Must contain at least one uppercase letter<br />- Must contain at least one of these symbols:<br />`@``#``$``%``!``^``&``\*``(``)`<br />`\\``_``+``~``-``=``[``]``\{``}`<br />`,``;``:``'``"``.``/``<``>``?`<code>\`</code> |
| config.**signature\_algorithm**<br /><br />string<br /><br />Optional  | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                                                                                                                                                                |
| config.**url**<br /><br />string<br /><br />Required                   | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| config.**use\_mtls**<br /><br />boolean<br /><br />Optional            | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| events<br /><br />array of strings<br /><br />Required                 | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>.                                                                                                                                        |
| name<br /><br />string<br /><br />Required                             | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| token<br /><br />string<br /><br />Optional                            | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />1–36 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |

<h3 id="_sample_request_body">
  Sample request body
</h3>

```json JSON lines wrap theme={null}
{
  "token": "my_webhook_token",
  "active": true,
  "events": [
    "*"
  ],
  "config": {
    "url": "https://my_secure_domain.com/webhook",
    "secret": "my_20-character-min_secret",
    "signature_algorithm": "HMAC_SHA_256",
    "basic_auth_username": "my_username",
    "basic_auth_password": "my_20-to-50-character_password",
    "custom_header": {
      "my_header_name_1": "my_value_1",
      "my_header_name_2": "my_value_2"
    }
  },
  "name": "my_webhook_name"
}
```

<h3 id="_response_body">
  Response body
</h3>

| Fields                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Conditionally returned                         | Indicates whether the webhook is active. This field is returned if you included it in your webhook.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| config<br /><br />object<br /><br />Returned                                        | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| config.**basic\_auth\_password**<br /><br />string<br /><br />Returned              | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the password, followed by 10 asterisks and the last character of the password.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**basic\_auth\_username**<br /><br />string<br /><br />Returned              | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the username, followed by 10 asterisks and the last character of the username.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**custom\_header**<br /><br />object<br /><br />Conditionally returned       | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| config.**secret**<br /><br />string<br /><br />Conditionally returned               | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the secret, followed by 10 asterisks and the last character of the secret.                                                                                    |
| config.**signature\_algorithm**<br /><br />string<br /><br />Conditionally returned | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                         |
| config.**url**<br /><br />string<br /><br />Returned                                | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| config.**use\_mtls**<br /><br />boolean<br /><br />Conditionally returned           | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                |
| created\_time<br /><br />datetime<br /><br />Conditionally returned                 | Date and time when the webhook event was created, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| events<br /><br />array of strings<br /><br />Returned                              | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>. |
| last\_modified\_time<br /><br />datetime<br /><br />Conditionally returned          | Date and time when the associated object was last modified, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| name<br /><br />string<br /><br />Returned                                          | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| token<br /><br />string<br /><br />Conditionally returned                           | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />1–36 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

<h3 id="_sample_response_body">
  Sample response body
</h3>

```json JSON expandable lines wrap theme={null}
{
  "name": "my_webhook_name",
  "active": true,
  "config": {
    "url": "https://my_secure_domain.com/webhook",
    "secret": "m**********t",
    "signature_algorithm": "HMAC_SHA_256",
    "basic_auth_username": "m**********e",
    "basic_auth_password": "m**********d",
    "custom_header": {
      "my_header_name_1": "my_value_1",
      "my_header_name_2": "my_value_2"
    }
  },
  "events": [
    "*"
  ],
  "token": "my_webhook_token",
  "created_time": "2023-02-24T23:20:28Z",
  "last_modified_time": "2023-02-24T23:20:28Z"
}
```

<h2 id="get_webhooks">
  List webhooks
</h2>

**Action:** `GET`\
**Endpoint:** `/webhooks`

{/* <EndpointCard
title="List webhooks"
path="/webhooks"
method="get"
/> */}

Returns an array of all webhooks.

This endpoint supports [field filtering](/core-api/field-filtering/), [sorting](/core-api/sorting-and-pagination/), and [pagination](/core-api/sorting-and-pagination/).

<Note>
  **Note**\
  As shown in the example, `config.secret`, `config.basic_auth_username`, and `config.basic_auth_password` are masked in responses to this and all other requests. To ensure that you can access these values as needed, update them on your endpoint, store them securely, and then [update the webhook subscription](/core-api/webhooks/#put_webhooks_token).
</Note>

<h3 id="_url_query_parameters">
  URL query parameters
</h3>

| Fields                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                          |
| --------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Optional       | Set to `true` to return only active webhook configurations, otherwise all webhook configurations will be returned.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                       |
| count<br /><br />integer<br /><br />Optional        | Number of resources to retrieve.<br /><br />**Allowable Values:**<br /><br />1-10<br /><br />**Default value:**<br />5                                                                                                                                                                                                                                                                                               |
| start\_index<br /><br />integer<br /><br />Optional | Sort order index of the first resource in the returned array.<br /><br />**Allowable Values:**<br /><br />Any integer<br /><br />**Default value:**<br />0                                                                                                                                                                                                                                                           |
| fields<br /><br />string<br /><br />Optional        | Comma-delimited list of fields to return (`field_1,field_2`, and so on). Leave blank to return all fields.<br /><br />**Allowable Values:**<br /><br />Comma-delimited list of fields, or blank                                                                                                                                                                                                                      |
| sort\_by<br /><br />string<br /><br />Optional      | Field on which to sort. Use any field in the resource model, or one of the system fields `lastModifiedTime` or `createdTime`. Prefix the field name with a hyphen (`-`) to sort in descending order. Omit the hyphen to sort in ascending order.<br /><br />**Allowable Values:**<br /><br />`createdTime`, `lastModifiedTime`, or any field in the resource model<br /><br />**Default value:**<br />`-createdTime` |

<h3 id="_response_body_2">
  Response body
</h3>

| Fields                                                                                      | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| count<br /><br />integer<br /><br />Conditionally returned                                  | Number of resources to retrieve.<br /><br />This field is returned if there are resources in your returned array.<br /><br />**Allowable Values:**<br /><br />1-10                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| data<br /><br />array of objects<br /><br />Conditionally returned                          | Array of webhooks resources.<br /><br />Resources are returned as appropriate to your query.<br /><br />**Allowable Values:**<br /><br />Valid array of one or more webhook objects                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| data\[].**active**<br /><br />boolean<br /><br />Conditionally returned                     | Indicates whether the webhook is active. This field is returned if you included it in your webhook.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| data\[].**config**<br /><br />object<br /><br />Returned                                    | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| data\[].config.**basic\_auth\_password**<br /><br />string<br /><br />Returned              | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the password, followed by 10 asterisks and the last character of the password.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| data\[].config.**basic\_auth\_username**<br /><br />string<br /><br />Returned              | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the username, followed by 10 asterisks and the last character of the username.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| data\[].config.**custom\_header**<br /><br />object<br /><br />Conditionally returned       | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| data\[].config.**secret**<br /><br />string<br /><br />Conditionally returned               | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the secret, followed by 10 asterisks and the last character of the secret.                                                                                    |
| data\[].config.**signature\_algorithm**<br /><br />string<br /><br />Conditionally returned | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                         |
| data\[].config.**url**<br /><br />string<br /><br />Returned                                | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| data\[].config.**use\_mtls**<br /><br />boolean<br /><br />Conditionally returned           | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                |
| data\[].**created\_time**<br /><br />datetime<br /><br />Conditionally returned             | Date and time when the webhook event was created, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| data\[].**events**<br /><br />array of strings<br /><br />Returned                          | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>. |
| data\[].**last\_modified\_time**<br /><br />datetime<br /><br />Conditionally returned      | Date and time when the associated object was last modified, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| data\[].**name**<br /><br />string<br /><br />Returned                                      | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| data\[].**token**<br /><br />string<br /><br />Conditionally returned                       | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />1–36 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| end\_index<br /><br />integer<br /><br />Conditionally returned                             | Sort order index of the last resource in the returned array.<br /><br />This field is returned if there are resources in your returned array.<br /><br />**Allowable Values:**<br /><br />Any integer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| is\_more<br /><br />boolean<br /><br />Conditionally returned                               | A value of `true` indicates that more unreturned resources exist. A value of `false` indicates that no more unreturned resources exist.<br /><br />This field is returned if there are resources in your returned array.<br /><br />**Allowable Values:**<br /><br />Any integer                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| start\_index<br /><br />integer<br /><br />Conditionally returned                           | Sort order index of the first resource in the returned array.<br /><br />This field is returned if there are resources in your returned array.<br /><br />**Allowable Values:**<br /><br />Any integer                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |

<h3 id="_sample_response_body_2">
  Sample response body
</h3>

```json JSON expandable lines wrap theme={null}
{
  "count": 1,
  "start_index": 0,
  "end_index": 0,
  "is_more": true,
  "data": [
    {
      "name": "my_webhook_name",
      "active": true,
      "config": {
        "url": "https://my_secure_domain.com/webhook",
        "secret": "m**********t",
        "signature_algorithm": "HMAC_SHA_256",
        "basic_auth_username": "m**********e",
        "basic_auth_password": "m**********d",
        "custom_header": {
          "my_header_name_1": "my_value_1",
          "my_header_name_2": "my_value_2",
          "my_header_name_3": "my_value_3"
        }
      },
      "events": [
        "*"
      ],
      "token": "my_webhook_token",
      "created_time": "2023-02-24T23:20:28Z",
      "last_modified_time": "2023-02-24T23:20:28Z"
    }
  ]
}
```

<h2 id="put_webhooks_custom_headers_token">
  Update webhook custom headers
</h2>

**Action:** `PUT`\
**Endpoint:** `/webhooks/customheaders/{token}`

{/* <EndpointCard
title="Update webhook custom headers"
path="/webhooks/customheaders/{token}"
method="put"
/> */}

Adds or updates a webhook’s custom HTTP headers.

<h3 id="_url_path_parameters">
  URL path parameters
</h3>

| Fields                                      | Description                                                                                          |
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| token<br /><br />string<br /><br />Required | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />Existing webhook token |

<h3 id="_request_body_2">
  Request body
</h3>

| Fields                                               | Description                                                                                                                                                                                                                                                                                                  |
| ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| custom\_header<br /><br />object<br /><br />Optional | Additional custom information included in the HTTP header. For example, this might contain security information, along with Basic Authentication, when making a JIT Funding request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value |

<h3 id="_sample_request_body_2">
  Sample request body
</h3>

```json JSON lines wrap theme={null}
{
  "custom_header": {
    "my_header_name_1": "my_value_1",
    "my_header_name_2": "my_value_2",
    "my_header_name_3": "my_value_3"
  }
}
```

<h3 id="_response_body_3">
  Response body
</h3>

| Fields                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Conditionally returned                         | Indicates whether the webhook is active. This field is returned if you included it in your webhook.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| config<br /><br />object<br /><br />Returned                                        | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| config.**basic\_auth\_password**<br /><br />string<br /><br />Returned              | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the password, followed by 10 asterisks and the last character of the password.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**basic\_auth\_username**<br /><br />string<br /><br />Returned              | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the username, followed by 10 asterisks and the last character of the username.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**custom\_header**<br /><br />object<br /><br />Conditionally returned       | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| config.**secret**<br /><br />string<br /><br />Conditionally returned               | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the secret, followed by 10 asterisks and the last character of the secret.                                                                                    |
| config.**signature\_algorithm**<br /><br />string<br /><br />Conditionally returned | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                         |
| config.**url**<br /><br />string<br /><br />Returned                                | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| config.**use\_mtls**<br /><br />boolean<br /><br />Conditionally returned           | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                |
| created\_time<br /><br />datetime<br /><br />Conditionally returned                 | Date and time when the webhook event was created, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| events<br /><br />array of strings<br /><br />Returned                              | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>. |
| last\_modified\_time<br /><br />datetime<br /><br />Conditionally returned          | Date and time when the associated object was last modified, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| name<br /><br />string<br /><br />Returned                                          | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| token<br /><br />string<br /><br />Conditionally returned                           | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />1–36 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

<h3 id="_sample_response_body_3">
  Sample response body
</h3>

```json JSON expandable lines wrap theme={null}
{
  "token": "my_webhook_01",
  "name": "my_webhook_name",
  "active": true,
  "config": {
    "url": "https://my_secure_domain.com/webhook",
    "secret": "m**********t",
    "signature_algorithm": "HMAC_SHA_256",
    "basic_auth_username": "m**********e",
    "basic_auth_password": "m**********d",
    "custom_header": {
      "my_header_name_1": "my_value_1",
      "my_header_name_2": "my_value_2",
      "my_header_name_3": "my_value_3"
    }
  },
  "events": [
    "transaction.*"
  ],
  "created_time": "2023-02-06T08:12:32Z",
  "last_modified_time": "2023-02-26T22:07:23Z"
}
```

<h2 id="get_webhooks_token">
  Retrieve webhook
</h2>

**Action:** `GET`\
**Endpoint:** `/webhooks/{token}`

{/* <EndpointCard
title="Retrieve webhook"
path="/webhooks/{token}"
method="get"
/> */}

Retrieves a webhook.

<Note>
  **Note**\
  As shown in the example, `config.secret`, `config.basic_auth_username`, and `config.basic_auth_password` are masked in responses to this and all other requests. To ensure that you can access these values as needed, update them on your endpoint, store them securely, and then [update the webhook subscription](/core-api/webhooks/#put_webhooks_token).
</Note>

<h3 id="_url_path_parameters_2">
  URL path parameters
</h3>

| Fields                                      | Description                                                                                          |
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| token<br /><br />string<br /><br />Required | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />Existing webhook token |

<h3 id="_response_body_4">
  Response body
</h3>

| Fields                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Conditionally returned                         | Indicates whether the webhook is active. This field is returned if you included it in your webhook.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| config<br /><br />object<br /><br />Returned                                        | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| config.**basic\_auth\_password**<br /><br />string<br /><br />Returned              | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the password, followed by 10 asterisks and the last character of the password.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**basic\_auth\_username**<br /><br />string<br /><br />Returned              | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the username, followed by 10 asterisks and the last character of the username.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**custom\_header**<br /><br />object<br /><br />Conditionally returned       | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| config.**secret**<br /><br />string<br /><br />Conditionally returned               | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the secret, followed by 10 asterisks and the last character of the secret.                                                                                    |
| config.**signature\_algorithm**<br /><br />string<br /><br />Conditionally returned | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                         |
| config.**url**<br /><br />string<br /><br />Returned                                | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| config.**use\_mtls**<br /><br />boolean<br /><br />Conditionally returned           | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                |
| created\_time<br /><br />datetime<br /><br />Conditionally returned                 | Date and time when the webhook event was created, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| events<br /><br />array of strings<br /><br />Returned                              | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>. |
| last\_modified\_time<br /><br />datetime<br /><br />Conditionally returned          | Date and time when the associated object was last modified, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| name<br /><br />string<br /><br />Returned                                          | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| token<br /><br />string<br /><br />Conditionally returned                           | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />1–36 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

<h2 id="put_webhooks_token">
  Update webhook
</h2>

**Action:** `PUT`\
**Endpoint:** `/webhooks/{token}`

{/* <EndpointCard
title="Update webhook"
path="/webhooks/{token}"
method="put"
/> */}

Updates a webhook.

You can also use this endpoint to disable webhooks you no longer want to receive—there is no `DELETE` method available to remove unneeded webhooks. To disable a webhook, use this endpoint to set its `active` field to `false`.

<Note>
  **Note**\
  As shown in the example, `config.secret`, `config.basic_auth_username`, and `config.basic_auth_password` are masked in responses to this and all other requests. To access these values later, store them securely before making the request. When modifying authentication credentials, update the endpoint configuration before updating your webhook subscription to avoid missing any important event notifications.
</Note>

For instructions on managing your webhooks via the Developer Dashboard, see the [Developer Tools](/developer-guides/developer-tools/#_to_disable_a_webhook) guide.

<h3 id="_url_path_parameters_3">
  URL path parameters
</h3>

| Fields                                      | Description                                                                                          |
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| token<br /><br />string<br /><br />Required | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />Existing webhook token |

<h3 id="_request_body_3">
  Request body
</h3>

| Fields                                                                 | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Optional                          | Indicates whether the webhook is active.<br /><br />**Allowable Values:**<br /><br />`true`, `false`<br /><br />**Default value:**<br />`true`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| config<br /><br />object<br /><br />Required                           | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| config.**basic\_auth\_password**<br /><br />string<br /><br />Required | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />20–50 chars<br /><br />- Must contain at least one numeral<br />- Must contain at least one lowercase letter<br />- Must contain at least one uppercase letter<br />- Must contain at least one of these symbols:<br />`@``#``$``%``!``^``&``\*``(``)`<br />`\\``_``+``~``-``=``[``]``\{``}`<br />`,``;``:``'``"``.``/``<``>``?`<code>\`</code>                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| config.**basic\_auth\_username**<br /><br />string<br /><br />Required | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–50 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| config.**custom\_header**<br /><br />object<br /><br />Optional        | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| config.**secret**<br /><br />string<br /><br />Optional                | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />20–50 chars<br /><br />- Must contain at least one numeral<br />- Must contain at least one lowercase letter<br />- Must contain at least one uppercase letter<br />- Must contain at least one of these symbols:<br />`@``#``$``%``!``^``&``\*``(``)`<br />`\\``_``+``~``-``=``[``]``\{``}`<br />`,``;``:``'``"``.``/``<``>``?`<code>\`</code> |
| config.**signature\_algorithm**<br /><br />string<br /><br />Optional  | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                                                                                                                                                                |
| config.**url**<br /><br />string<br /><br />Required                   | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| config.**use\_mtls**<br /><br />boolean<br /><br />Optional            | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| events<br /><br />array of strings<br /><br />Required                 | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>.                                                                                                                                        |
| name<br /><br />string<br /><br />Required                             | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |

<h3 id="_response_body_5">
  Response body
</h3>

| Fields                                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| active<br /><br />boolean<br /><br />Conditionally returned                         | Indicates whether the webhook is active. This field is returned if you included it in your webhook.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| config<br /><br />object<br /><br />Returned                                        | Contains the configuration information for the webhook.<br /><br />**Allowable Values:**<br /><br />`basic_auth_password`, `basic_auth_username`, `custom_header`, `secret`, `url`, `use_mtls`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| config.**basic\_auth\_password**<br /><br />string<br /><br />Returned              | Password for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the password, followed by 10 asterisks and the last character of the password.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**basic\_auth\_username**<br /><br />string<br /><br />Returned              | Username for accessing your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the username, followed by 10 asterisks and the last character of the username.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| config.**custom\_header**<br /><br />object<br /><br />Conditionally returned       | Custom headers to be passed along with the request.<br /><br />**Allowable Values:**<br /><br />Up to three name-value pairs: 500 char max per name, 500 char max per value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| config.**secret**<br /><br />string<br /><br />Conditionally returned               | Randomly chosen string used for implementing HMAC-SHA1 or HMAC-SHA256, depending on the value included in the `signature_algorithm` field. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />12 chars<br /><br />The first character of the secret, followed by 10 asterisks and the last character of the secret.                                                                                    |
| config.**signature\_algorithm**<br /><br />string<br /><br />Conditionally returned | Algorithm used for signature verification. A signature provides an added layer of security by authenticating the message and validating message integrity. Using this functionality requires that your webhook endpoint verify the message signature. For information about implementing this functionality, see <a href="/developer-guides/signature-verification/">Signature Verification</a>.<br /><br />**Allowable Values:**<br /><br />1–20 chars<br /><br />- Value must be either `HMAC_SHA_1` (legacy) or `HMAC_SHA_256` (recommended).<br />- You must specify this value if `secret` is specified.                                                                                                                                         |
| config.**url**<br /><br />string<br /><br />Returned                                | URL of your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />1–255 chars<br /><br />- Must be HTTPS<br />- Empty string not allowed                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| config.**use\_mtls**<br /><br />boolean<br /><br />Conditionally returned           | Set to `true` to use use mutual transport layer security (mTLS) authentication for the webhook.<br /><br />mTLS authentication is in the beta testing phase, and is not yet generally available. Contact your Marqeta representative for more information about using mTLS authentication.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                |
| created\_time<br /><br />datetime<br /><br />Conditionally returned                 | Date and time when the webhook event was created, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| events<br /><br />array of strings<br /><br />Returned                              | Specifies the types of events for which notifications are sent.<br /><br />The wildcard character `\*` indicates that you receive all webhook notifications, or all notifications of a specified category. For example, `\*` indicates that you receive all webhook notifications; `transaction.\*` indicates that you receive all `transaction` webhook notifications.<br /><br />**NOTE:** You can only use the wildcard character with the *base* type events, not subcategories. For example, you cannot subscribe to `cardtransition.fulfillment.\*` events, but you can subscribe to `cardtransition.\*`.<br /><br />**Allowable Values:**<br /><br />For a comprehensive list of events, see <a href="/core-api/event-types/">Event Types</a>. |
| last\_modified\_time<br /><br />datetime<br /><br />Conditionally returned          | Date and time when the associated object was last modified, in UTC.<br /><br />**Allowable Values:**<br /><br />datetime<br /><br />**Format:**<br />yyyy-MM-ddThh:mm:ssZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| name<br /><br />string<br /><br />Returned                                          | Descriptive name of the webhook.<br /><br />**Allowable Values:**<br /><br />1–64 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| token<br /><br />string<br /><br />Conditionally returned                           | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />1–36 chars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

<h2 id="post_webhooks_token_ping">
  Ping webhook
</h2>

**Action:** `POST`\
**Endpoint:** `/webhooks/{token}/ping`

{/* <EndpointCard
title="Ping webhook"
path="/webhooks/{token}/ping"
method="post"
/> */}

Pings your webhook endpoint.

Send a ping request to your webhook endpoint to validate credentials and connectivity. Your webhook endpoint must be configured to respond.

<h3 id="_configuring_your_webhook_endpoint">
  Configuring your webhook endpoint
</h3>

When the Marqeta platform receives the ping request, it sends a `POST` request containing the following body to the URL of your webhook endpoint:

```json JSON lines wrap theme={null}
{
  "pings": [
    {
      "token": "marqeta",
      "payload": "healthcheck"
    }
  ]
}
```

To indicate that it is functioning properly, your webhook endpoint must respond with a status code of `200` (see [Signature Verification](/developer-guides/signature-verification/) for a code example that identifies a ping request). The response can optionally include a [JSON](http://www.json.org/)-formatted body, for example:

```json JSON lines wrap theme={null}
{"my_endpoint_status": "alive"}
```

The Marqeta platform then responds to its requestor by echoing, as-is, the response code and body received from your webhook endpoint.

<h3 id="_using_the_ping_facility">
  Using the ping facility
</h3>

To ping a webhook endpoint, send a `POST` request to `/webhooks/{token}/ping` and use the `token` path parameter to specify which webhook you want to reach. Include an empty, [JSON](http://www.json.org/)-formatted body in the request, that is:

```json JSON lines wrap theme={null}
{}
```

The following chain of actions occurs during the successful execution of a ping operation:

<Steps>
  <Step>
    The Marqeta platform receives the ping request (`POST` to `/webhooks/{token}/ping`).
  </Step>

  <Step>
    The Marqeta platform sends a request to your webhook endpoint.
  </Step>

  <Step>
    Your webhook endpoint responds with a status code of "200" and an optional body.
  </Step>

  <Step>
    The Marqeta platform responds to its requestor by echoing, as-is, the response code and body it received from your webhook endpoint.
  </Step>
</Steps>

<Note>
  **Note**\
  If the customer-hosted endpoint fails to respond within five seconds, the Marqeta platform times out the request and responds with the following message body (where `<optional message>` represents additional details you can choose to include in the response):
</Note>

```json JSON lines wrap theme={null}
{
  "error_message": "Webhook operation failed " + <optional message>,
  "error_code": "422600"
}
```

Failed pings are not automatically retried.

<h3 id="_url_path_parameters_4">
  URL path parameters
</h3>

| Fields                                      | Description                                                                                          |
| ------------------------------------------- | ---------------------------------------------------------------------------------------------------- |
| token<br /><br />string<br /><br />Required | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />Existing webhook token |

<h3 id="_response_body_6">
  Response body
</h3>

| Fields                                                                   | Description                                                                                                                             |
| ------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
| pings<br /><br />array of objects<br /><br />Returned                    | Array of ping requests to your webhook endpoint.<br /><br />**Allowable Values:**<br /><br />Valid array of one or more `ping` requests |
| pings\[].**payload**<br /><br />string<br /><br />Conditionally returned | Payload of the ping request.<br /><br />**Allowable Values:**<br /><br />255 char max                                                   |
| pings\[].**token**<br /><br />string<br /><br />Conditionally returned   | Unique identifier of the ping request.<br /><br />**Allowable Values:**<br /><br />255 char max                                         |

<h3 id="_sample_response_body_4">
  Sample response body
</h3>

```json JSON lines wrap theme={null}
{
  "pings": [
    {
      "my_endpoint_status": "alive"
    }
  ]
}
```

<h2 id="post_webhooks_token_eventtype_eventtoken">
  Resend event notification
</h2>

**Action:** `POST`\
**Endpoint:** `/webhooks/{token}/{event_type}/{event_token}`

{/* <EndpointCard
title="Resend event notification"
path="/webhooks/{token}/{event_type}/{event_token}"
method="post"
/> */}

Resends an event notification to your webhook endpoint.

Although you send this request as a `POST`, all parameters are passed in the URL and the body is empty. The event notification is resent to your webhook endpoint and is also returned in the response to this request.

<h3 id="_url_path_parameters_5">
  URL path parameters
</h3>

| Fields                                             | Description                                                                                                                                                                                                                 |
| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| token<br /><br />string<br /><br />Required        | Unique identifier of the webhook.<br /><br />**Allowable Values:**<br /><br />Existing webhook token                                                                                                                        |
| event\_type<br /><br />string<br /><br />Required  | Specifies the type of event you want to resend.<br /><br />**Allowable Values:**<br /><br />`chargebacktransition`, `digitalwallettokentransition`, `cardtransition`, `usertransition`, `businesstransition`, `transaction` |
| event\_token<br /><br />string<br /><br />Required | Unique identifier of the event for which you want to resend a notification.<br /><br />**Allowable Values:**<br /><br />Existing event token                                                                                |
