> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getovra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get webhook by ID



## OpenAPI

````yaml /openapi.yaml get /webhooks/{id}
openapi: 3.1.0
info:
  title: Ovra API
  version: 0.5.0
  description: >
    Agentic Payments Infrastructure — EU-native, Fiat-first, DSGVO-by-design.

    Virtual cards and SEPA for AI agents. No crypto.


    ## Authentication


    All endpoints (except `/health` and `/`) require a Bearer token in the
    `Authorization` header.


    Two token types are supported:


    - **API Keys** (`sk_...`) — Full access, for dashboard and admin use.

    - **Agent Tokens** (`at_...`) — Scoped per agent, for autonomous agent
    operation. Created via `POST /agents/:id/tokens`.


    Test-mode keys use the `sk_test_` / `at_test_` prefix; live keys use
    `sk_live_` / `at_live_` (or plain `sk_` / `at_`).


    ## Data Residency


    All data is stored in the EU. Every response includes the `X-Data-Residency:
    EU` header.


    ## Rate Limiting


    Requests are rate-limited per IP (default 100 req/min, 60 s refill window).
    A `429` response is returned with `Retry-After` (seconds) and
    `X-RateLimit-*` headers when the limit is exceeded.


    ## Idempotency


    POST requests to `/agents/*`, `/intents/*`, `/checkout/*`, and `/cards/*`
    support the `Idempotency-Key` header.


    ## Pagination


    List endpoints support cursor-based pagination via `cursor` and `limit`
    query parameters.

    Responses include `data`, `hasMore`, and `nextCursor` fields.


    ## Webhook Events


    `transaction.completed`, `intent.created`, `intent.approved`,
    `intent.denied`, `intent.expired`,

    `card.frozen`, `card.unfrozen`, `card.closed`, `card.rotated`,
    `card.issued`, `card.funded`,

    `agent.created`, `agent.frozen`, `verification.mismatch`, `dispute.created`,
    `dispute.resolved`, `dispute.updated`


    Signature: `X-Ovra-Signature: sha256=<HMAC>`
  contact:
    name: Ovra Support
  license:
    name: Proprietary
servers:
  - url: https://api.getovra.com
    description: Production (EU)
  - url: http://localhost:3000
    description: Local development
security:
  - BearerAuth: []
tags:
  - name: Health
    description: Health and API information
  - name: Customers
    description: Customer (account owner) management
  - name: Agents
    description: AI agent lifecycle — create, fund, freeze, unfreeze, delete
  - name: Agent Tokens
    description: Scoped tokens for autonomous agent operation
  - name: Policies
    description: Spending policies — limits, allowlists, blocklists
  - name: Intents
    description: Spending intents — declare, approve, deny, cancel, verify
  - name: Cards
    description: Virtual card lifecycle — issue, freeze, unfreeze, close, rotate
  - name: Checkout
    description: Payment execution and zero-knowledge credential flow
  - name: MPP
    description: Machine Payments Protocol — API-native settlement for HTTP 402 flows
  - name: Billing
    description: >-
      Wallet balance, Stripe funding, saved payment methods, and SEPA bank
      transfer details
  - name: Transactions
    description: Transaction history and memos
  - name: Webhooks
    description: Webhook subscription management
  - name: Disputes
    description: Transaction disputes and evidence
  - name: Evidence
    description: Intent evidence (receipts, screenshots, invoices)
  - name: GDPR
    description: DSGVO/GDPR compliance — export, delete, consent
  - name: Merchants
    description: Merchant intelligence and MCC code lookup
  - name: Access Events
    description: Card access request logging and audit trail
  - name: Keys
    description: API key management
  - name: Wallets
    description: >-
      Wallet (account) lifecycle — create, list, fund, close. Aliased as
      `/accounts`.
  - name: Transfers
    description: Wallet-to-wallet and external SEPA transfers. Aliased as `/payments`.
  - name: Refunds
    description: Refund processing for completed transactions
  - name: Receipts
    description: Receipt upload and retrieval
  - name: Card Controls
    description: Card-level merchant / country / MCC controls
  - name: Card Requests
    description: Approval workflows for new cards and card limit changes
  - name: Beneficiaries
    description: External payee directory for SEPA transfers. Aliased as `/vendors`.
  - name: Onboarding
    description: Customer / merchant onboarding submissions
  - name: KYC
    description: Identity verification submissions and status
  - name: Runs
    description: Agent workflow run correlation. Aliased as `/workflows`.
  - name: Delegations
    description: >-
      Per-token spend caps + public delegation redeem. Aliased as
      `/authorizations`.
  - name: Ledger
    description: Double-entry ledger queries
  - name: Statements
    description: Periodic billing statements (also reachable as `/bills`)
  - name: Credentials
    description: Single-use card credential lifecycle (issue, redeem, revoke)
  - name: Risk
    description: Risk events, alerts, configuration, and manual unfreeze
  - name: Analytics
    description: Cost, merchant, anomaly, allocation, and forecast reports
  - name: Audit
    description: Audit-log search, export, and retention purge
  - name: Outcomes
    description: Agent outcome tracking and ROI measurement
  - name: Fund
    description: Manual wallet top-up endpoint
  - name: Claim
    description: Inbound payment requests (Collect). Public payer page included.
  - name: CLI Auth
    description: Browser-paired CLI sign-in flow
  - name: Intelligence
    description: Merchant resolve, MCC lookup, allowlist suggestions
  - name: Collect
    description: >-
      Inbound payment surface (alias of `/claim`). Receipts, payment tokens,
      agent charge, public HTTP-402 endpoint.
  - name: Pass-Through
    description: >-
      Universal Pass-Through Tokens (`/v1/agent-credentials`) — agent-bound
      Network Tokens scoped to merchant + amount + TTL.
  - name: Merchant Applications
    description: Merchant onboarding application intake (dashboard-secret only).
  - name: Forecast
    description: p10/p50/p90 daily spend forecast per agent.
  - name: Push Subscriptions
    description: Web Push subscription management (VAPID).
  - name: Security Incidents
    description: DORA Art. 17/18 ICT incident reporting (dashboard-secret only).
  - name: Canvas
    description: Aria conversational control surface (NDJSON event stream).
  - name: Sessions
    description: >-
      Tier-2 device-bound API session ceremony (RFC 8628 device flow +
      WebAuthn).
  - name: Mandates
    description: Tier-3 standing payment mandates per agent (WebAuthn-bound, constrained).
  - name: Passkeys
    description: >-
      WebAuthn passkey enrollment, listing, and revocation. Per-intent assertion
      challenges.
  - name: Well-Known
    description: Public no-auth discovery and verification endpoints under `/.well-known`.
paths:
  /webhooks/{id}:
    get:
      tags:
        - Webhooks
      summary: Get webhook by ID
      operationId: getWebhook
      parameters:
        - name: id
          in: path
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Webhook details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/WebhookSummary'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
        '429':
          $ref: '#/components/responses/TooManyRequests'
components:
  schemas:
    WebhookSummary:
      type: object
      properties:
        id:
          type: string
        url:
          type: string
        events:
          type: array
          items:
            type: string
        status:
          type: string
    Error:
      type: object
      required:
        - error
      properties:
        error:
          type: string
          description: Human-readable error message
  responses:
    Unauthorized:
      description: Missing or invalid authentication
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Resource not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    TooManyRequests:
      description: Rate limit exceeded
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: >-
        API key (`sk_sandbox_*` / `sk_test_*` / `sk_live_*`) or Agent token
        (`at_*` / `at_dlg_*`)

````