Bitpanda Enterprise
  1. Webhooks
Bitpanda Enterprise
  • Bitpanda Enterprise
    • Getting Started
      • Overview
      • Authentication
      • Versioning and API Changes
      • Changelog
    • REST API Endpoints
      • Overview
      • Auth Tokens
        • Obtain a Refresh and Access Tokens
        • Revoke a Refresh Token
      • User Administration
        • Individual Users
          • Create new user
          • Get user list v2
          • Search for users
          • Get user details v2
          • Update an existing user
          • Get user details
          • Off-boarding user
          • Inactivate user
          • Get user accepted Terms & Conditions
          • Get user accepted Terms & Conditions v2
          • User verification files
          • Get account levels
        • Businesses
          • Get risk questions
          • Get a list of available businesses
          • Create new business
          • Get business details
          • Update an existing business
          • Create Authorized Individual
          • Get a list of Authorized Individuals
          • Get Authorized Individual details
          • Update Authorized Individual
          • Delete Authorized Individual
          • Create Shareholder
          • Get a list of Shareholders
          • Get Shareholder details
          • Update Shareholder
          • Delete Shareholder
          • Create Beneficial Owner
          • Get a list of Beneficial Owners
          • Get Beneficial Owner details
          • Update Beneficial Owner
          • Delete Beneficial Owner
          • Create Managing Director
          • Get a list of Managing Directors
          • Get Managing Director details
          • Update Managing Director
          • Delete Managing Director
          • Create Individual
          • Get a list of Individuals
          • Get Individual details
          • Update Individual
          • Delete Individual
        • User Files
          • Upload a file
          • Get file contents
          • Get file information
        • Legal & Regulatory
          • Get Terms & Conditions
          • Get Terms & Conditions v2
          • Get AML questions
          • Get appropriateness questions
          • Get client categorization questionnaire
          • Get DAC8 questionnaire
          • Get FATCA questionnaire
          • Get Legal Documents
          • Capture consent for User's final check
          • Retrieve Tax Identification Number Configuration
          • Get UK appropriateness questionnaire
          • Get appropriateness questionnaire for complex products
          • Get client categorization questionnaire
          • Get UK Risk Disclosure Warning
          • Acknowledge UK Risk Disclosure Warning
          • Get user compliance status
      • Asset Oversight
        • Available Assets
          • Get a list of available assets
          • Get a list of available assets v2
        • Asset Details
          • Get asset details
          • Get asset details v2
        • Asset History
          • Get asset history
          • Get asset history
        • Asset Info
          • Get asset information
          • Get asset information
        • Cryptocoin Details
          • Get cryptocoin details
          • Get cryptocoin details
        • Metal Details
          • Get metal details
          • Get metal details
        • Crypto Index Details
          • Get crypto index details
          • Get crypto index details
        • Stock Details
          • Get stock details
          • Get stock details
        • Equity Stock Details
          • Get equity stock details
          • Get equity stock details V2
        • ETF Details
          • Get ETF details
          • Get ETF details
        • Equity ETF Details
          • Get equity ETF details
          • Get equity ETF details V2
        • ETC Details
          • Get ETC details
          • Get ETC details
        • Equity ETC Details
          • Get Equity ETC details
          • Get Equity ETC details V2
        • Token Details
          • Get token details
          • Get token details
        • Asset ESG Data
          • Get asset ESG data
          • Get asset ESG data V2
        • List all available fiats per partner
        • Get the exchange rate for two assets
        • Get the swap exchange rate between two assets
        • Get assets under management
        • Get assets under management grouped by type
        • Get crypto index allocations
        • Get asset tags mapping
        • Get prices
        • Get prices V2
      • Trading Capabilities
        • Trades
          • Create a trade offer
          • Create a trade offer V2
          • [Deprecated] Accept a trade offer
          • Accept a trade offer V2
          • Accept a trade offer V3
          • Get a trade offer status
        • Swaps
          • Create a swap offer
          • Create a swap offer V2
          • Accept a swap offer
          • Accept a swap offer V2
        • Automated Orders
          • List automated orders
          • Get automated order price estimation
          • Create an automated order
          • Get an automated order details
          • Cancel an automated order
      • Portfolio Management
        • Returns the list of owned assets
        • Returns the list of owned asset groups
        • Portfolio performance based on timeframe
        • Returns the enhanced portfolio detail of an asset
        • Returns the list of owned assets
        • Returns the list of owned asset groups
        • Portfolio performance based on timeframe
        • Returns the enhanced portfolio detail of an asset
      • Transactions Timeline
        • All
          • Transaction timeline per user
        • Trades
          • List all trades per user
          • Get trade details
          • Get trades history for user using asset and fiat uuid
          • Search for trades
          • Lightweight Search for trades V2
        • Swaps
          • Search for swaps
          • Swap details by swap offer ID
          • Search for swaps V2
          • Swap details by swap offer ID V2
        • Crypto Transfers
          • List all crypto transfers per user
          • Search for crypto transfers
        • Non-User Initiated Transactions
          • Non-user initiated transaction details
          • List all non-user initiated transactions per partner or per user
          • List all non-user initiated transactions per partner or per user V2
        • Corporate Actions
          • List all corporate actions per partner or per user
          • Corporate action details
        • Crypto Actions
          • Crypto action details V2
          • Crypto action details
        • Staking Actions
          • List all staking actions per user
          • List all staking actions per user V2
      • Reports
        • Get all available report types per user
        • Get all generated reports per user
        • Create Account Statement Report
        • Download a specific report
      • Tax Insights
        • Get user’s tax eligibility status
        • Update user’s tax eligibility status
        • Get trade tax details
      • Notification Events
        • List all notification events per partner
      • Smart Investment Features
        • Crypto Transfers
          • List external addresses
          • Create deposit address
          • Update external address
          • Create withdrawal address
          • List of VASPs
          • Validate crypto address
          • Update tax declaration status for a crypto deposit transaction
          • Create a crypto withdrawal offer
          • Confirm a withdrawal offer
        • Crypto Staking
          • Get staking overview
          • Get bonded overview
          • Stake a crypto asset
          • Unstake a crypto asset
          • Stake a crypto asset V2
          • Unstake a crypto asset V2
          • Get a staking action status
        • Savings Plans
          • Create a savings plan
          • Search for savings plans
          • Cancel a savings plan
          • Cancel a savings plan V2
          • Confirm a savings plan transaction
          • Confirm a savings plan transaction V2
          • Create a savings plan V2
          • Search for savings plans V2
          • Get savings plan next recurrence date.
      • Settlements
        • List all available fiats per partner
        • Create a settlement deposit
        • Update the fiat stock
        • List all settlement transactions per partner
    • Webhooks
      • Overview
      • Setting Up Webhooks
      • Handling Webhooks Events
        • User Updates Notifications
          • User Updates Notifications
        • Corporate Actions Notifications
          • Corporate Actions Notifications
          • Corporate Actions Notifications
        • Crypto Transfers Notifications
          • Deposit or withdrawal notification
        • Settlement Notifications
          • Top-Up Request
          • Top-Up Request V2
          • Top-Up Success
          • Top-Up Success V2
          • Send Money
          • Send Money V2
          • Send Money Success
          • Send Money Success V2
        • Non-user Initiated Transactions Notifications
          • Non-user Initiated Transactions
          • Non-user Initiated Transactions V2
          • Non-user Initiated Transactions V3
        • Savings Plans Notifications
          • Savings Plan Upcoming Trade
          • Savings Plan Upcoming Trade v2
          • Savings Plan Successful Trade
          • Savings Plan Failed Trade
          • Savings Plan Auto Cancel
        • Crypto Actions Notifications
          • Crypto Actions Notifications
        • Reports Notifications
          • Reports Notifications
        • Automated Orders Notifications
          • Automated Orders Notifications
    • WebSocket
      • Overview
      • Setting a Websocket
      • Websocket Server Documentation
    • Glosary
      • Key Terms and Definitions
    • Schemas
      • 400
      • 401
      • 403
      • UserJourney
      • 404
      • trades-search-lightweight
      • 413
      • TradeDetails
      • 422
      • CreateOfferRequest
      • 500
      • CreateOfferUUIDRequest
      • AccessToken
      • ListOrderResponse
      • getTransactionResponse
      • CreateOrderRequest
      • getFiatsResponse
      • CreateOrderResponse
      • GetOrderResponse
      • 405
      • 406
      • 409
      • 410
      • 503
      • Term
      • PaginationMeta
      • PaginationLinks
      • TermV2Link
      • ComplexProductsAnswer
      • TermV2Text
      • ComplexProductsQuestion
      • AmlAnswerNested
      • AmlQuestionNested
      • AmlAnswer
      • AmlQuestion
      • QuestionnaireAnswer
      • QuestionnaireQuestion
      • ClientCategorizationNestedAnswer
      • ClientCategorizationNestedQuestion
      • ClientCategorizationAnswer
      • ClientCategorizationQuestion
      • UKRiskDisclosureContentLink
      • Dac8Answer
      • UKRiskDisclosureContent
      • Dac8Question
      • UKRiskDisclosureActions
      • FatcaAnswer
      • UKRiskDisclosure
      • FatcaQuestion
      • AccountLevel
      • GetUserList
      • SimpleCursorPaginationMeta
      • AmlQuestionAnswerRequest
      • AppropriatenessQuestionAnswerRequest
      • ClientCategorizationQuestionAnswerRequest
      • FatcaQuestionAnswerRequest
      • Dac8QuestionAnswerRequest
      • UserVerificationV2Request
      • UserTax
      • UserMultipleTax
      • UserExtCompliance
      • CreateUserV2RequestBody
      • UserSearch
      • GetUserV2
      • UpdateUserV2RequestBody
      • GetUser
      • UserOffBoardingRequestBody
      • UserAcceptedTerm
      • UserAcceptedTermV2Link
      • UserAcceptedTermV2Text
      • ComplianceDetails
      • UserVerificationFilesV2RequestBody
      • UserComplianceV2
      • LegalDocument
      • UserComplianceV2Response
      • TaxRules
      • Asset
      • AssetHistory
      • AssetInfo
      • CryptoIndexAllocation
      • CoinDetails
      • MetalDetails
      • CryptoIndexDetails
      • YearlyNetIncome
      • StockDetails
      • EquityStockDetails
      • ETFDetails
      • EquityETFDetails
      • ETCDetails
      • EquityETCDetails
      • TokenDetails
      • ESGData
      • ExchangeRate
      • SwapExchangeRate
      • Asset-V2
      • GetAssetsUnderManagement
      • GetAssetsUnderManagementTypeGroup
      • FiatV2
      • TagGroup
      • TagsMapping
      • Trade
      • TradeV2
      • TransactionTimelineItem
      • TradeSearchV2
      • NextPrevCursorPagination
      • CorporateActions
      • CorporateActionDetailsAsset
      • CorporateActionDetailsFiat
      • CorporateActionDetails
      • NonUserInitiatedTransactionsDetailsAsset
      • NonUserInitiatedTransactionDetailsFiat
      • NonUserInitiatedTransactionsDetails
      • CryptoActionDetailsAsset
      • CryptoActionDetailsFiat
      • CryptoActionDetails
      • CryptoActionDetailsAssetV2
      • CryptoActionTransaction
      • CryptoActionDetailsV2
      • Warnings
      • Offer
      • OfferUUID
      • Offer-Accept
      • Offer-Accept-Uuid
      • Overview
      • GroupOverview
      • Performance
      • AssetDetailsEnhancedWithStaking
      • OverviewV2
      • AssetDetailsEnhancedWithStakingV2
      • Fiat
      • CreateDomainDepositRequestBody
      • UpdateFiatStockRequestBody
      • TransactionSearch
      • CreateAccountStatement
      • AccountStatementReportResponse
      • ReportDetails
      • UploadFileRequestBody
      • FileInformation
      • OverviewResponse
      • BondedOverviewResponse
      • StakeRequest
      • StakeResponse
      • PendingStakeActionResponse
      • UnstakeRequest
      • UnstakeResponse
      • SearchResponse
      • SearchV2Response
      • PaginationMetaV2
      • StakeV2Request
      • StakeV2Response
      • UnstakeV2Request
      • UnstakeV2Response
      • GetStatusResponse
      • EventV2
      • NonUserInitiatedTransactions
      • NonUserInitiatedTransactionsV2
      • GetPricesResponse
      • GetPricesResponse-v2
      • GetTaxStatusResponse
      • OrderPriceEstimationResponse
      • UpdateTaxStatusRequest
      • UpdateTaxStatusResponse
      • GetTaxDetailsResponse
      • AddressResponse
      • CreateAddressRequest
      • DepositAddressResponse
      • UpdateExternalAddressRequest
      • CreateWithdrawalAddressRequest
      • VaspResponse
      • ValidateCryptoAddressRequest
      • ValidateCryptoAddressResponse
      • TransactionResponse
      • TaxDeclarationUpdateRequest
      • WithdrawalOfferRequest
      • WithdrawalOfferResponse
      • WithdrawalResponse
      • SearchSavingsPlanResponse
      • CreateSavingsPlanRequest
      • CreateSavingsPlanResponse
      • ModifySavingsPlanRequest
      • ModifySavingsPlanResponse
      • CancelSavingsPlanV2Response
      • ConfirmSavingsPlanTransactionResponse
      • ConfirmSavingsPlanTransactionV2Response
      • SearchSavingsPlanV2Response
      • CreateSavingsPlanV2Request
      • CreateSavingsPlanV2Response
      • GetSavingsPlanNextRecurrenceResponse
      • CreateSwapOfferRequest
      • CreateSwapOfferResponse
      • SwapTradesSearch
      • GetSwap
      • CreateSwapOfferRequestV2
      • CreateSwapOfferResponseV2
      • SwapTradesSearchV2
      • GetSwapV2
      • AcceptSwapOfferResponse
      • AcceptSwapOfferResponseV2
      • ResponseMeta
      • RiskAnswer
      • RiskQuestion
      • GeneralAddress
      • EntityTaxClassification
      • Business
      • RiskQuestionAnswerRequest
      • CreateBusinessRequestBody
      • BusinessDetails
      • UpdateBusinessRequestBody
      • AuthorizedIndividual
      • CreateAuthorizedIndividualRequestBody
      • UpdateAuthorizedIndividualRequestBody
      • Shareholder
      • CreateShareholderRequestBody
      • UpdateShareholderRequestBody
      • BeneficialOwnerType
      • BeneficialOwnerControllingPersonType
      • BeneficialOwner
      • CreateBeneficialOwnerRequestBody
      • UpdateBeneficialOwnerRequestBody
      • ManagingDirector
      • CreateManagingDirectorRequestBody
      • UpdateManagingDirectorRequestBody
      • Individual
      • CreateIndividualRequestBody
      • UpdateIndividualRequestBody
  • Custody
    • Introduction
    • Security
    • Getting Started
    • Changelog
    • Webhooks
    • Supported Assets
    • Glossary
    • Tutorials
      • API Onboarding
      • TrustVault Node.js SDK
      • Change Wallet Policy API
      • Create a Bitcoin Transaction
      • Create an Ethereum Transaction
      • Create Transaction (Unsupported EVM chain)
      • Create Ethereum Transaction GraphQL API
      • Calculating Transaction Fee
      • Decoding an Ethereum Transaction Webhook Payload
      • Get User Portfolio
      • Environments
    • APIs
      • Travel Rule API
      • Deprecations
      • Trust API
        • Authentication
          • TrustVault Public Keys
        • Query
          • User
            • User SubWallets - Details
            • User SubWallets - Portfolio
            • User SubWallets - Balances
            • Get Transactions
            • Get Transactions for a BTC Receive Address
            • Get All BTC Receive Addresses (With Transactions)
            • Get User Portfolio
            • csvPortfolio
          • Get Request Item
        • Mutations
          • Create Transactions
            • Create BTC Transaction
            • Create ETH
            • Create Transaction (EVM compatible chain)
            • Create Exchange Transfer
          • Create Change Policy Request
          • Create Bitcoin Receive Address
          • Add Signature
          • Cancel request
          • Create Sub Wallet
          • Create Eth Personal Sign
          • Create Eth Signed Typed Data
          • Create Radix Transaction
          • Create Xdc.Network Transaction
    • Under the Hood
      • Understanding Bitcoin
      • Supported Ethereum Decoded Data
  • Crypto Pay by Bitpanda
    • Overview
    • REST API Endpoints
      • Authentication
        • Obtain a Refresh and Access Tokens
        • Revoke a Refresh Token
      • Transactions
        • Get transaction details
        • Create a new transaction
        • Get transactions details
      • Get list of fiat currencies
    • Webhooks
      • Settlement Update Notifications
      • Transaction Update Notifications
    • Schemas
      • 400
      • 401
      • 403
      • 404
      • 413
      • 422
      • 500
      • AccessToken
      • getTransactionResponse
      • getFiatsResponse
  1. Webhooks

Setting Up Webhooks

This page will help you set up and start using webhooks to receive real-time notifications from Bitpanda Enterprise directly to your application. Follow these steps to configure your API URLs and begin leveraging the power of event-driven data delivery.

Step 1: Register your callback URL#

Configure endpoint: Your application must have a publicly accessible endpoint to receive webhook notifications. This URL will be where we send JSON data when an event occurs.
Register URL & subscribe to events: Once available, pass this URL to our solution engineer together with the events that are relevant to your application.
There are two main options for differentiating between webhook calls:
URLs with different routes: You can set up a unique callback URL for each notification type, such as www.123.com/webhooks/webhook-1, webhook-2, etc. This approach allows you to process each event separately based on its endpoint, making it straightforward to distinguish between notification types.
Single URL with custom headers: Alternatively, if you prefer to use a single callback URL, we can configure custom headers for each notification type. This setup will enable you to identify the event type through the header, allowing flexible handling of different notifications within a single endpoint.
Each notification type also has a distinct payload structure, which aids in differentiation if using a single URL. Additionally, you have the option to activate notification types one at a time, providing control over your integration and easing testing.
Let us know which approach you would like to proceed with.

Step 2: Security Implementation#

IP Filtering#

Configure the Bitpanda Enterprise IPs to make sure the requests are correctly filtered.

Webhook Signature Verification#

All webhook requests are signed using RFC 9421 HTTP Message Signatures with ECDSA P-256. You must verify these signatures before processing webhook data.

Required Headers#

Every webhook includes these security headers:
HeaderPurposeExample
Signature-InputDefines signed components and metadatasig1=("@method" "@target-uri" "host" "date" "content-digest" "content-type" "content-length" "x-BTS-idempotency-key");created=1640995200;expires=1640995500;keyid="key-id";alg="ecdsa-p256-sha256"
SignatureBase64-encoded signaturesig1=:MEUCIQDxHJKV3+...signature...:
Content-DigestSHA-256 hash of request bodysha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
DateRequest timestampMon, 22 Sep 2025 15:26:23 GMT
X-BTS-Idempotency-KeyUnique event identifierBTS-a1b2c3d4e5f6...

Step-by-Step Implementation#

Step 1: Parse Signature Input#
Extract signature metadata from the Signature-Input header:
Step 2: Fetch Public Key#
Retrieve the signing key from our JWKS endpoint:
Step 3: Build Signature Base#
Construct the string that was signed according to RFC 9421:
Step 4: Verify Signature#
Validate the cryptographic signature:
Step 5: Validate Timestamps#
Check signature freshness:
Step 6: Verify Content Digest#
Validate request body integrity:

Complete Verification Function#

Usage Example#

Key Implementation Notes#

1.
Authentication: JWKS endpoint requires Authorization: Bearer YOUR_API_TOKEN
2.
Components: Always signed in this exact order: @method, @target-uri, host, date, content-digest, content-type, content-length, x-BTS-idempotency-key
3.
Base64 Encoding: Signatures use base64url encoding (may need conversion for your crypto library)
4.
Timestamp Window: Signatures typically expire 5 minutes after creation
5.
Host Header: Use the actual Host header value, not derived from URL
6.
Target URI: Use the complete URL including scheme, host, and path
Contact your solution engineer to obtain your API token for JWKS access.

Step 3: Handle Incoming Data#

Code and test your endpoint to accept POST requests. Ensure it can parse the JSON payload and handle different types of events according to your business logic as detailed in the following subsections. Note that you should process the events in an idempotent way as the events might be sent one or multiple times.
The X-BTS-Idempotency-Key header helps you handle duplicate deliveries:
Previous
Overview
Next
User Updates Notifications
Built with