SimpliFi - Bayzat
HomeContact Us
HomeContact Us
    • Introduction
    • SimpliFi Architecture
    • SimpliFi Virtual Card SDK Integration Guide
    • Webhook Signature
    • Auth
      • Login to generate JWT token
        POST
      • Login to generate SDK Admin JWT token
        POST
    • Card Program
      • Create Card Program
        POST
      • Get Card Program
        GET
      • Change Card Program Status
        PATCH
      • Link Funding Source to Card Program
        POST
      • Get Balance of Funding Source
        GET
      • Raise Funding
        POST
      • Raise Funding Document Upload
        POST
    • User
      • Upload Document
        POST
      • List all Users
        GET
      • Create a User
        POST
      • Retrieve a User
        GET
      • Update a User
        PUT
      • Delete a User
        DELETE
    • Transaction
      • List All Transactions
        POST
    • Card
      • List all Cards
        GET
      • Create a Card
        POST
      • Get Card Details
        GET
      • Activate a Card
        POST
      • Manage Card Status
        POST
      • Get Rule Groups on Card
        GET
      • Create Rule Group on Card
        POST
      • Update Rule Group on Card
        PUT
    • Webhook
      • Get all events
      • Create a webhook
      • Update a Webhook
      • Delete a Webhook
      • Updates the status of Webhook
      • Card Holder Creation Success webhook
      • Card Holder Update Success webhook
      • Card Holder Deletion Success webhook
      • Card Program Creation Success webhook
      • Card Program Update Success webhook
      • Card Program Status Change Success webhook
      • Raise Funding Success webhook
      • Card Activation Success webhook
      • Card Activation Failure webhook
      • Card Issuance Success webhook
      • Card Issuance Failure webhook
      • Card Status Change Success webhook
      • Rule Group Creation Success webhook
      • Rule Group Update Success webhook
      • Rule Group Delete Success webhook
      • Transaction Success webhook
    • Schemas
      • ErrorModel
      • AuthRequestModel
      • SdkAuthRequestModel
      • AuthResponseModel
      • CardProgramRequestModel
      • CardProgramResponseModel
      • CardProgramStatusChangeRequestModel
      • FundingSourceRequestModel
      • FundingSourceResponseModel
      • FundingSourceBalanceModel
      • RaiseFundingRequestModel
      • RaiseFundingResponseModel
      • RaiseFundingDocumentModel
      • FileUploadModel
      • DocumentUploadModel
      • DocumentModel
      • TransactionRequestModel
      • TransactionResponse
      • TransactionResponseDetails
      • UserDetailModel
      • ContactModel
      • UserRequestModel
      • UserModel
      • InstrumentType
      • CardRequestModel
      • CardResponseModel
      • CardStatusModel
      • RuleGroupResponseModel
      • RuleGroupModel
      • RuleGroupSpendRestrictions
      • WebhookEventType
      • WebhookEventModel
      • WebhookRequestModel
      • WebhookResponseModel
      • CompanyUuidParameter
      • RequestUuidParameter
      • UserUuidParameter
      • CardUuidParameter
      • MaskedPanParameter
      • CardStatusParameter
      • TransactionIdParameter
      • TransactionUuidParameter
      • TransactionTypeParameter
      • WebhookSuccess
      • WebhookFailure
      • UserSuccessWebhook
      • CardHolderCreationSuccessWebhook
      • CardHolderUpdationSuccessWebhook
      • CardHolderDeletionSuccessWebhook
      • CardProgramSuccessWebhook
      • CardProgramCreationSuccessWebhook
      • CardProgramUpdationSuccessWebhook
      • CardProgramStatusChangeSuccessWebhook
      • RaiseFundingSuccessWebhook
      • CardActivationSuccessWebhook
      • CardActivationFailureWebhook
      • CardIssuanceSuccessWebhook
      • CardIssuanceFailureWebhook
      • CardStatusChangeSuccessWebhook
      • RuleGroupCreationWebhook
      • RuleGroupCreationSuccessWebhook
      • RuleGroupUpdationSuccessWebhook
      • RuleGroupDeletionSuccessWebhook
      • TransactionSuccessWebhook
      • Error99997
      • Error40089
      • Error40065
      • Error40007
      • Error40056
      • Error30003
      • Error15017
      • Error40081
      • Error30022
      • Error15015
      • Error15016
      • Error30049
      • Error40006
      • Error40010
      • Error40080
      • Error40053
      • Error40113
      • Error40067
      • Error40069
      • Error50010
      • Error50011
      • Error50008
      • Error50004
      • Error10003
      • Error20046
      • Error35004
      • Error35005
      • Error35006
      • Error35007
      • Error35009
      • Error10001
      • Error20133
      • Error20017
      • Error20001
      • Error20005
      • Error20039
      • Error20011
      • Error20038
      • Error20127
      • Error20018
      • Error20002
      • Error20004
      • Error20006
      • Error20032
      • Error30012
      • Error20086
      • Error20019
      • Error20132
      • Error20008
      • Error40054
      • Error20015
      • Error20074
      • Error21090
      • Error20161
      • Error20162
      • Error20089
      • Error20076
      • Error30023
      • Error30013
      • Error20087
      • Error30028
      • Error20070
      • Error20050
      • Error82028
      • Error30004
      • Error30044
      • Error30001
      • Error30006
      • Error30048
      • Error30024
      • Error35043
      • Error30025
      • Error30010
      • Error30047
      • ErrorReason99997
      • Error81040
      • Error40128
      • Error40136
      • Error10035
      • Error35024
      • Error60001
      • Error60002
      • Error60003
      • Error60004
      • Error60005
      • Error60021
      • Error60012
      • Error60009

    Webhook Signature

    Overview#

    A webhook signature is a security mechanism used to verify that an incoming HTTP request actually comes from the expected provider and hasn't been tampered with. It works by using a shared secret key and a hashing algorithm to create a hash of the payload, which is then compared against the signature provided in the request header.
    When SimpliFi sends a webhook, each one contains two entries related to signature. X-SimpliFi-Webhook-Timestamp and X-SimpliFi-Webhook-Signature. Both of these are used to verify the authenticity of the webhook.

    Signature Key#

    This is a pre-shared key which SimpliFi will provide to their client. This key will be used to hash and generate the signature.
    Note: Key is not automatically rotated. It would only be rotated if the client requests a new key, or if SimpliFi suspects the key has been leaked. Please make sure to keep the key secret and do not store it in plain text.

    Timestamp#

    SimpliFi calculates a timestamp when it is sending the webhook. It is a difference between the current time and midnight, January 1, 1970 UTC.

    Signature#

    The webhook signature is calculated by combining the Timestamp value and Payload, then using HmacSHA256 algorithm the combined value is hashed. This hashed value is then encoded using Base 64.

    Verification#

    To verify the webhook, a signature should be generated and compared with the supplied signature. What you need is:
    1.
    Signature Key - This is a pre-shared key generated by SimpliFi and shared offline.
    2.
    JSON Payload - This is the body of the webhook. The format of the content is in JSON, however it is sent as application/text so that it is not automatically converted into a formatted JSON by any processors.
    Note: JSON payload should not be altered in anyway to caclulate the signature. Any extra character (or whitespace) will give wrong results.
    3.
    Timestamp - This is supplied in the header of the webhook. The key is X-SimpliFi-Webhook-Timestamp.
    4.
    Signature - This is supplied in the header of the webhook. The key is X-SimpliFi-Webhook-Signature.
    Following is an example on how to generate a signature from the above:
    Modified at 2026-05-13 04:29:32
    Previous
    SimpliFi Virtual Card SDK Integration Guide
    Next
    Login to generate JWT token
    Built with