Skip to main content
Webhooks are HTTP POST requests sent automatically by Truv when events occur during the verification flow. They track Task status changes, Order updates, Link connections, and data object creation, keeping your system in sync as data progresses through processing stages.
Configure webhook endpoints separately for Sandbox and Production.

Set up webhooks

Configure webhook endpoints in the Truv Dashboard:
  1. Navigate to DevelopmentWebhooks
  2. Enter your endpoint URL
  3. Save the configuration
Your endpoint will begin receiving webhook events for all activity in that environment.

Test webhooks

  • Use Truv Bridge in the Dashboard Emulator to trigger webhook events in sandbox
  • Use tools like ngrok to expose a local development server:
Then configure the ngrok URL as your webhook endpoint in the Dashboard.

Webhook payload structure

All webhook requests include these standard fields:

Headers

HTTP header names are case-insensitive per RFC 7230.

Body fields

Every webhook payload includes these common fields: Additional fields vary by event type — see Events by object below.

Security

Every webhook includes an X-WEBHOOK-SIGN header with an HMAC-SHA256 signature. Verify it against the raw request body using your Access Secret before processing the event.

How it works

  1. Truv computes an HMAC-SHA256 hash of the raw request body using your Access Secret
  2. The hash is sent in the X-WEBHOOK-SIGN header with a v1= prefix
  3. Your server recomputes the hash and compares it to the header value
Always verify signatures using the raw request body, not parsed JSON. Parsing and re-serializing may change the byte representation.

Code examples

Originating IP addresses

Allowlist the current Truv webhook IP addresses if your network requires source filtering:
  • 34.212.57.93
  • 44.224.243.166
  • 52.25.14.79

Additional authentication options

Beyond signature verification, Truv supports:
  • Truv-signed certificates for webhook mTLS
  • Client-signed certificates for webhook mTLS
  • OAuth 2.0, where Truv obtains access tokens for secure webhook delivery (optional, configured with Truv)
  • Custom headers such as client ID and client secret, configured with Truv
See mTLS if you need mutual certificate-based authentication for webhook delivery.

Timeouts and retries


Event ordering

Webhooks are delivered in event order. For example, full_parse fires before done. However, network conditions can cause delays in delivery.
Use the event_created_at field to sequence events correctly in your system, rather than relying on delivery order. When you need the authoritative full resource state, fetch it from the API instead of relying on the webhook payload alone.

Handle webhooks

Best practices

Return a 200 response quickly. Process the webhook data asynchronously if needed:
Webhooks may be delivered more than once. Use the webhook_id field for idempotency:
Never process a webhook without verifying the X-WEBHOOK-SIGN header. See Security above.
The task-status-updated event is the primary signal for monitoring connection progress. Key statuses to handle:
  • done: All data has been downloaded and processed. Fetch verification reports.
  • login_error: Authentication failed. The user may need to retry.
  • mfa_error: MFA verification failed.
  • config_error: Provider configuration issue.
See Connection Lifecycle for the full status flow.

Troubleshooting

Events by object

Orders (see more) Tasks (see more) Bank Accounts (see more) Shift (see more) Pay Statement (see more) Identity (see more) Employment (see more) Links (see more)