Webhooks are how Ovra tells your systems that something happened. Every state-changing operation fires one. Deliveries are HMAC-SHA256-signed, retried on a plan-tier-aware backoff schedule, and SSRF-checked against private IPs and metadata endpoints.Documentation Index
Fetch the complete documentation index at: https://docs.getovra.com/llms.txt
Use this file to discover all available pages before exploring further.
Subscribe
["*"] to subscribe to every event.
URL constraints (isBlockedWebhookUrl):
- HTTPS or HTTP (HTTPS strongly recommended in prod)
- No localhost
- No RFC 1918 (10.0.0.0/8, 172.16/12, 192.168/16)
- No link-local (169.254.0.0/16) or metadata endpoints (
169.254.169.254,metadata.google.internal) - DNS rebinding check at delivery time
Event catalog
There are ~50 event types across these categories. Source of truth:apps/api/src/services/webhook.ts WebhookEvent union.
Intent
Intent
intent.created · intent.approved · intent.denied · intent.expired · intent.cancelled · intent.matched (reserved) · intent.mismatched (reserved)Transaction
Transaction
transaction.created · transaction.updated · transaction.authorization · transaction.settlement · transaction.settled · transaction.completed · transaction.declined · transaction.refundedCard
Card
card.issued · card.activated · card.frozen · card.unfrozen · card.closed · card.rotated · card.funded · card.shipped · card.limits_changed · card.details_changedCard limit request
Card limit request
card_limit_request.updatedWallet
Wallet
wallet.created · wallet.funded · wallet.creditedTransfer
Transfer
transfer.completed · transfer.failed · transfer.split.completedRisk
Risk
risk.agent_frozen · risk.review_required · risk.alert_created · risk.denied · risk.velocity_alert · risk.geo_impossibleAgent
Agent
agent.created · agent.frozen · agent.unfrozenCollect (legacy `claim.*` namespace)
Collect (legacy `claim.*` namespace)
claim.request.created · claim.request.paid · claim.request.expired · claim.request.cancelledDispute
Dispute
dispute.created · dispute.updated · dispute.resolvedMPP (credential issuer)
MPP (credential issuer)
mpp.credential.minted · mpp.credential.consumed · mpp.credential.expired (reserved) · mpp.transaction.completedVerification + misc
Verification + misc
verification.mismatch · mobile_wallet.updated · payment.updated · receipt.updated · bill.updated · cardholder.updatedDelivery format
Headers:| Header | Value |
|---|---|
X-Ovra-Event | Event name |
X-Ovra-Timestamp | Unix seconds at signing |
X-Ovra-Delivery-Id | Unique per attempt |
X-Ovra-Signature | sha256=<hex> HMAC-SHA256 of {deliveryId}.{timestamp}.{rawBody} |
X-Request-Id | Correlation back to the originating request |
Verify the signature
Retry policy (plan-tier-aware)
| Tier | Max attempts | Backoff | Dead-letter |
|---|---|---|---|
basic | 1 | – | – |
full | 1 | – | – |
full_retry | 5 | 1m · 5m · 15m · 1h · 4h | – |
full_dlq | 5 | Same as above | ✓ |
FOR UPDATE SKIP LOCKED so multi-instance API hosts never double-deliver.
| Plan | Webhook tier |
|---|---|
| Free | basic |
| Starter | full |
| Business | full_retry |
| Enterprise | full_dlq |
Best practices
- Verify signatures before processing — never trust the body unsigned.
- Idempotent handlers — the same event may deliver more than once.
- Acknowledge fast — return 2xx within 30s. Defer slow work to a queue.
- Check the timestamp window to reject very old replays.
Next
Intelligence
Audit + decision logs supplement webhooks for forensics.
Sandbox
Test signature verification end-to-end.