Skip to main content
Subscribe to webhooks to receive real-time notifications about wallet workflow, deposit, rebalance, withdrawal, payout, and strategy lifecycle changes.

Register a webhook

The create response includes id, url, events, createdAt, and secret. Store secret on the server only (env var / secret manager). The secret field is only returned on create — it is not included when listing endpoints.
Only portfolio_wallet.* event types are accepted. Requests that include event types outside the portfolio_wallet.* namespace will be rejected with a validation error.

List webhooks

The list is returned under the canonical list envelope key data. The legacy endpoints key is kept as a backwards-compatible alias containing the same array. Pass nextCursor as cursor to fetch the next page. Note that secret is not included in list responses. See API Conventions for the list envelope.

Delete a webhook

Returns { "id": "...", "deleted": true } on success.

Portfolio Wallet events

Event payloads

portfolio_wallet.status_changed

portfolio_wallet.deposit.status_changed

portfolio_wallet.withdrawal.status_changed

The withdrawal object is a workflow snapshot for the withdrawal, including payout legs and their current execution steps. See Withdraw Funds for the full payoutLegs structure.

portfolio_wallet.withdrawal.payout.status_changed

portfolio_wallet.strategy.status_changed

portfolio_wallet.rebalance.status_changed

Rebalance and withdrawal step objects expose workflow execution metadata. Broadcast transaction hashes are exposed on payout rows when available, not on every workflow step.

Error responses

Webhook registration and management endpoints return errors in a consistent {error, code} structure:

Delivery and headers

Ground POSTs to your registered url with these headers:

Signature verification

Ground uses a Stripe-style HMAC scheme:
  • Header format: Ground-Signature: t=<unix_timestamp>,v1=<hex_hmac>
  • HMAC: v1 = HMAC_SHA256(key = secret, message = t + "." + rawBody)
  • rawBody is the exact request body string (before JSON.parse).

Node / Express verification example

Quick checklist

  • Register a webhook and persist secret.
  • Verify every request with t + "." + rawBody and constant-time compare.
  • Enforce a timestamp window and use HTTPS.
  • Log Ground-Event-Id and Ground-Event-Type for debugging.
  • Respond with 200 quickly — do heavy processing asynchronously.