Webhooks

How to use webhooks to stay up to date with changes

Overview

Currently you need to contact First AML customer support to have a webhook setup.

Webhooks must be configured with a https:// destination URL, http:// is not supported.

Webhooks provide a mechanism for notifying your integration in response to changes in the First AML platform.

Types

Currently 2 webhook types are supported:

• CaseCreated
• CaseStatusUpdated

Webhooks need to be configured to target a specific organization. The webhook can also be restricted to only respond to events for a subset of offices within an organization as well.

Webhook Body

The body of the webhook is encoded as application/json and delivered via a POST request sent to the target URL. For each event, the webhook payload will contain the following information:

{
	"eventType": "CaseCreated",
	"caseId": 12345,
	"officeKey": "abc456789-3476-4cf6-8491-bdd1272cf01"
}

You will note that the contents of the webhook payload does not include any details about the case or data that was changed. You must make a secured request to retrieve any details related to the case in response to receiving a webhook.

Security

To ensure requests you receive come from First AML you can verify the webhook via the signature provided in the x-faml-signature header. When your webhook is registered we will provide you with a verifier token key, this will be a Base64 encoded value, an example of this would be RXD1PO5RcE+/Ku0I9N6mPihk6L4kQTHUx39qtOHu4Wc=.

To verify the signature, you need to create your own and compare it to the contents of the x-faml-signature. To do this you need to use the HMACSHA256 algorithmn. Most languages have a library for this.

Creating the signature requires inputs in the form of two byte arrays:

• The Base64 decoded verifier token key as the secret key
• The UTF-8 encoded contents of the request body

This should output a signature as a byte array. Base64 encode this output. If the request is from First AML, this should match the contents of the x-faml-signature header.

Some libraries will take strings as inputs or give a string as the output. For these it’s important you check the encoding to ensure it matches the process listed above.

An example using the key RXD1PO5RcE+/Ku0I9N6mPihk6L4kQTHUx39qtOHu4Wc= and the webhook request body being:

{"eventType":"CaseCreated","caseId":3036,"officeKey":null}

Then the value of the x-faml-signature would be S6P+iWJWILHg+vLc7tkSlzVD3YAouOeyFb1gEvdAoZc=.

Redelivery

If the target endpoint does not return a 200 OK response, or is not available, delivery of the webhook will be reattempted up to 5 times within a half hour before webhook delivery is abandoned.

If required, a request can be made to the support team upon request to reattempt delivery of failed webhooks.

Requesting Setup

When you are ready to configure a webhook, please provide the following details to your primary support contact to get your webhook set up.

• Webhook Destination URL (Must be HTTPS)
• Webhook Event Types
• The environment the webhook subscription should be created for (Production or Sandbox).

---

Documents

← Previous

Introduction

Next →

Related Docs

• Documents
• Using Insomnia
• GraphQL Schema
• Input Validation