> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iron.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Dispatches an event notification to a configured webhook endpoint

> This webhook is triggered when a significant event occurs within the system
that a partner might be interested in. The payload contains details about the
event type and the associated data.

## Request

The webhook will be sent as an HTTP `POST` request to the URL configured
for the webhook. The body of the request will be a JSON payload
(`application/json`) containing an `ApiWebhookContainer`.

## Headers

The following headers will be included in the request, adhering to [the
Standard Webhooks specification](https://github.com/standard-webhooks/standard-webhooks/blob/main/spec/standard-webhooks.md):

- `content-type: application/json`: Indicates the payload format.
- `webhook-id`: A unique UUID (version 4) identifying this specific
delivery attempt. This can be used for idempotency and logging.
- `webhook-timestamp`: A string representing the Unix timestamp (seconds since epoch)
of when the webhook notification was sent.
- `webhook-signature`: A signature to verify the authenticity and integrity
of the payload. The format is `v1=<signature>`, where `<signature>` is
an HMAC-SHA256 hash.

## Signature Verification

To verify the signature:
1. Extract the `webhook-timestamp` from the header.
2. Extract the `webhook-signature` from the header and remove the `v1=` prefix.
3. Concatenate the `webhook-timestamp` string and the raw request body.
4. Calculate the HMAC-SHA256 hash of the concatenated string using your
webhook's secret key.
5. Compare the calculated hash (hex-encoded) with the signature extracted
from the header. They should match.

It is crucial to use a constant-time comparison function when comparing
signatures to prevent timing attacks.
(See the examples for more details)



## OpenAPI

````yaml /spec.yaml webhook new_event
openapi: 3.1.0
info:
  description: The Stablecoin Payment Network
  title: Iron API - Sandbox
  version: 1.0-16681
servers:
  - url: https://api.sandbox.iron.xyz/api
security: []
tags:
  - description: >-
      Wallet and bank account registration


      Every wallet address that interacts with Iron must be registered (linked)
      to a customer **before** it can be used in any flow — onramp, offramp, or
      swap. This is a regulatory requirement under the **Travel Rule**, which
      obliges Virtual Asset Service Providers to exchange originator and
      beneficiary information for crypto transfers.


      Iron supports two wallet types:


      - **Self-hosted wallets** — the customer controls the private key.
      Registration requires a signed proof-of-ownership message.

      - **Hosted wallets** — the wallet is custodied by another VASP (e.g.
      Coinbase, Kraken). Registration requires the VASP's DID so Iron can
      exchange travel-rule data with the custodian.


      Similarly, fiat bank accounts must be registered before they can receive
      offramp payouts.
    name: Addresses
  - description: Operations on Autoramp
    name: Autoramp
  - description: Operations on Chronicle collateral
    name: ChronicleCollateral
  - description: Operations on Currencies
    name: Currencies
  - description: Operations on Customers
    name: Customer
  - description: Operations on Exchange Rate
    name: ExchangeRate
  - description: Operations on Fee Profiles
    name: FeeProfiles
  - description: Operations for Sandbox Testing
    name: Sandbox
  - description: Operations on SSE
    name: Sse
  - description: Operations on Terms and Conditions
    name: TermsAndConditions
  - description: Operations on Webhooks
    name: Webhooks
paths: {}

````