Skip to main content
Asset uses webhooks to send notifications regarding specific requests and updates about the platform.

Configuring Webhooks

  • In the Asset Dashboard, go to Developers → Webhooks.
  • Enter your Endpoint URL (HTTPS only).
  • (Optional) Add custom Headers such as an Authorization token or an x-asset-signature secret.
  • Click Save.

Disabling Webhooks

There might be times in which you want to temporarily disable webhooks. To do this, follow the steps below:
  1. In the Asset Dashboard, open Developers → Webhooks.
  2. Toggle Enabled off.
  3. Click Save.

Retries

If there is non-200 response or the request times out, Asset will retry the request two more times, each with an exponential backoff. The first delay will be 5 seconds, and the second daly will be 10 seconds.

Headers

Every webhook request comes with two headers asset-id and asset-signature. The asset-id header uniquely identifies the webhook request, and asset-signature is the signature of the request. You can use the public key at https://api.getasset.com/.well-known/jwks.json to validate the signature. Below is a sample Python code snipet that shows how to validate the signature. 
import json
import base64
import requests
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import rsa, padding
from jwcrypto import jwk

def base64url_decode(val):
    val += "=" * (-len(val) % 4)  # Fix padding
    return base64.urlsafe_b64decode(val)

asset_id = "<VALUE FROM HEADER>"
asset_signature = "<VALUE FROM HEADER>"
body = "<BODY OF WEBHOOK MESSAGE>"
payload = f"{asset_id}.{json.dumps(body)}"
decoded_signature(asset_signature)

# Download the public key for signature verification and convert to RSA format
resp = requests.get("https://api.getasset.com/.well-known/jwks.json").json()
key = jwk.JWK.from_json(json.dumps(resp["keys"][0]))
n = int.from_bytes(base64url_decode(key.get("n")), "big")
e = int.from_bytes(base64url_decode(key.get("e")), "big")
public_numbers = rsa.RSAPublicNumbers(e, n)
rsa_key = public_numbers.public_key(default_backend())

# Vaidate the signature
rsa_key.verify(
    decoded_signature,
    payload.encode(),
    padding.PKCS1v15(),
    hashes.SHA256(),
)

Notifications

Plaid Connections

For bank integrations, we have the following notifications available:
  • PLAID_ACCOUNT_CONNECTED: Sent when a new account is connected via Plaid.
  • PLAID_ACCOUNT_DISCONNECTED: Sent when an existing account is disconnected through the Plaid link flow.
  • PLAID_ACCOUNT_EXPIRED: Sent when Plaid detects that the account connection is not active. This means the account must be reconnected.
  • PLAID_TRANSACTIONS_SYNCED: Sent when new transactions have been synced for a Plaid-connected account.
All notifcations above have the same message structure: 
{
  "type": "<PLAID_ACCOUNT_CONNECTED, PLAID_ACCOUNT_CONNECTED, PLAID_ACCOUNT_EXPIRED, PLAID_TRANSACTIONS_SYNCED>",
  "content": {
    "business_id": "biz_Pk2fNFDd8wj7EFeLWJywc7",
    "timestamp": "<current timestamp in UTC>",
    "account_id": "<the plaid linked item id>"
  }
}

Bookkeeping requests

As the books are being completed for a business, Asset will send requests that lists the set of tasks that need to be completed by the business owner. Message structure: 
{
  "type": "TASK_REQUEST",
  "content": {
    "business_id": "biz_Pk2fNFDd8wj7EFeLWJywc7",
    "task_types": [
      "categorize_transaction",
      "reconnect_account"
      "request_other_document",
      "request_receipt",
      "request_statement",
      "review_personal_transaction",
      "other"
    ]
  }
}
Questions? Reach out via our Contact form or email [email protected].