Configure webhook endpoints separately for Sandbox and Production.
Set up webhooks
Configure webhook endpoints in the Truv Dashboard:- Navigate to Development → Webhooks
- Enter your endpoint URL
- Save the configuration
Test webhooks
- Use Truv Bridge in the Dashboard Emulator to trigger webhook events in sandbox
- Use tools like ngrok to expose a local development server:
Webhook payload structure
All webhook requests include these standard fields:Headers
HTTP header names are case-insensitive per RFC 7230.
Body fields
Every webhook payload includes these common fields:
Additional fields vary by event type — see Events by object below.
Security
Every webhook includes anX-WEBHOOK-SIGN header with an HMAC-SHA256 signature. Verify it against the raw request body using your Access Secret before processing the event.
How it works
- Truv computes an HMAC-SHA256 hash of the raw request body using your Access Secret
- The hash is sent in the
X-WEBHOOK-SIGNheader with av1=prefix - Your server recomputes the hash and compares it to the header value
Code examples
Python
Python
Node.js
Node.js
Go
Go
Ruby
Ruby
C#
C#
Originating IP addresses
Allowlist the current Truv webhook IP addresses if your network requires source filtering:34.212.57.9344.224.243.16652.25.14.79
Additional authentication options
Beyond signature verification, Truv supports:- Truv-signed certificates for webhook mTLS
- Client-signed certificates for webhook mTLS
- OAuth 2.0, where Truv obtains access tokens for secure webhook delivery (optional, configured with Truv)
- Custom headers such as client ID and client secret, configured with Truv
Timeouts and retries
Event ordering
Webhooks are delivered in event order. For example,full_parse fires before done. However, network conditions can cause delays in delivery.
Handle webhooks
Best practices
Respond within 10 seconds
Respond within 10 seconds
Return a
200 response quickly. Process the webhook data asynchronously if needed:Handle duplicates with idempotency
Handle duplicates with idempotency
Webhooks may be delivered more than once. Use the
webhook_id field for idempotency:Always verify signatures
Always verify signatures
Never process a webhook without verifying the
X-WEBHOOK-SIGN header. See Security above.Track the task-status-updated event
Track the task-status-updated event
The
task-status-updated event is the primary signal for monitoring connection progress. Key statuses to handle:done: All data has been downloaded and processed. Fetch verification reports.login_error: Authentication failed. The user may need to retry.mfa_error: MFA verification failed.config_error: Provider configuration issue.
Troubleshooting
Events by object
Orders (see more)
Tasks (see more)
Bank Accounts (see more)
Shift (see more)
Pay Statement (see more)
Identity (see more)
Employment (see more)
Links (see more)