Asset uses webhooks to send notifications regarding specific requests and updates about the platform.

Configuring Webhooks

  • In the Asset Dashboard, go to Developers → Webhooks.
  • Enter your Endpoint URL (HTTPS only).
  • (Optional) Add custom Headers such as an Authorization token or an x-asset-signature secret.
  • Click Save.

Disabling Webhooks

There might be times in which you want to temporarily disable webhooks. To do this, follow the steps below:
  1. In the Asset Dashboard, open Developers → Webhooks.
  2. Toggle Enabled off.
  3. Click Save.

Retries

If there is non-200 response or the request times out, Asset will retry the request two more times, each with an exponential backoff. The first delay will be 5 seconds, and the second daly will be 10 seconds.

Headers

Every webhook request comes with two headers asset-id and asset-signature. The asset-id header uniquely identifies the webhook request, and asset-signature is the signature of the request. You can use the public key at https://api.getasset.com/.well-known/jwks.json to validate the signature. Below is a sample Python code snipet that shows how to validate the signature. 
import json
import base64
import requests
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from jwcrypto import jwk

def base64url_decode(val):
    val += "=" * (-len(val) % 4)  # Fix padding
    return base64.urlsafe_b64decode(val)

asset_id = "<VALUE FROM HEADER>"
asset_signature = "<VALUE FROM HEADER>"
body = "<BODY OF WEBHOOK MESSAGE>"
payload = f"{asset_id}.{json.dumps(body)}"
decoded_signature(asset_signature)

# Download the public key for signature verification and convert to RSA format
resp = requests.get("https://api.getasset.com/.well-known/jwks.json").json()
key = jwk.JWK.from_json(json.dumps(resp["keys"][0]))
n = int.from_bytes(base64url_decode(key.get("n")), "big")
e = int.from_bytes(base64url_decode(key.get("e")), "big")
public_numbers = rsa.RSAPublicNumbers(e, n)
rsa_key = public_numbers.public_key(default_backend())

# Vaidate the signature
rsa_key.verify(
    decoded_signature,
    payload.encode(),
    padding.PKCS1v15(),
    hashes.SHA256(),
)
Questions? Reach out via our Contact form or email support@getasset.com.