> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chargeblast.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook

> This page will help you get started with our webhooks.

First set up your webhook URL in the Chargeblast dashboard in the settings tab.

<img src="https://mintcdn.com/chargeblast/ntrX-tzDCxYfNFkO/images/reference/chargeblast-webhook-url-dashboard.png?fit=max&auto=format&n=ntrX-tzDCxYfNFkO&q=85&s=db0e675b96c1014d105f8d2826792ca8" alt="" width="2366" height="798" data-path="images/reference/chargeblast-webhook-url-dashboard.png" />

Chargeblast will begin emitting events to your webhook URL with the following schema. These events will be fired anytime a new alert is generated.

### Authentication

To authenticate the integrity of incoming webhooks, a header is passed into the post request to your endpoint under the header name `svix-signature`. The value in this header is an HMAC-SHA256 encoded string using the payload of the request with the webhook secret as key.

In order to authenticate the request, you perform a HMAC-SHA256 encoding using a concat of webhook request body, `svix_timestamp` and `svix_id` and your webhook secret (`whsec_xxxxx`) and ensure these strings match. Then input string to SHA256 HMAC will look like:

`signedContent = "${svix_id}.${svix_timestamp}.${body}"`

This is a common method for ensuring that the webhook messages you receive in your server are from a trusted source and haven't been tampered with.

PythonJavaScript

\`const crypto = require('crypto');

const signedContent = `${svix_id}.${svix_timestamp}.${body}`;
const secret = "whsec\_xxxxxxxx";

// Need to base64 decode the secret
const secretBytes = Buffer.from(secret.split('\_')\[1], "base64");
const signature = crypto
.createHmac('sha256', secretBytes)
.update(signedContent)
.digest('base64');

console.log(signature);
\`

The svix-signature header is composed of a list of space delimited signatures and their corresponding version identifiers. The signature list is most commonly of length one. Though there could be any number of signatures. For example:
v1,g0hM9SsE+OTPJTGt/tmIKtSyZlE3uFJELVlNIOLJ1OE= v1,bm9ldHUjKzFob2VudXRob2VodWUzMjRvdWVvdW9ldQo= v2,MzJsNDk4MzI0K2VvdSMjMTEjQEBAQDEyMzMzMzEyMwo=

Make sure to remove the version prefix and delimiter (e.g. v1,) before verifying the signature.

### Types

For the full list of webhook event types (`alert.created`, `alert.updated`, `alert.refunded`, and others), when they fire, and which alert types apply, see **[Webhook event types](/api-reference/webhooks/webhook-events)**. Prefer the **[Webhooks](/api-reference/webhooks/setup)** guide for the current payload schema and verification steps.
