Implementing a Webhook Notification

March 11, 2026 22:52

Kount 360 webhooks enable you to receive live updates over HTTP when a status change occurs. Webhook events gives you the ability to receive automated updates on orders in Kount 360. When enabled, webhook events from Kount 360 are sent to a URL hosted by you in a JSON payload.

Note

To ensure reliable webhook notifications, our system employs an automatic retry mechanism. In certain scenarios, such as network fluctuations or timeout issues, this could result in the same event payload being delivered more than once. Integrations must be designed to recognize a duplicate event and ensure that processing it multiple times does not result in inconsistent data, like creating duplicate records or double-charging a user.

The following webhook events are used in Kount 360. Webhook events are divided by product.

Payments Fraud

Order Update: Sends a notification when an order is approved or declined, a note added, an agent assigned, a Chargeback or Refund report is marked, and/or a reason code is added.
Order Status Change: Deprecated. Use Order Update instead. This webhook sends an event when an order is approved or declined.
Reason Code Update: This webhook sends an event notification when a reason code is added or changed.
Chargeback Bulk Added: Only sends a notification when a bulk chargeback report is uploaded in the user interface invoking BatchUpdateReversals.

Identity Proofing and Account Protection

Decision Status Update: A webhook event that sends a notification when the decision, caseStatus, queue, rejectionCode, tags, assignee, or verifiedFraud are changed.
Document Verification Status Update: A webhook event that sends a notification when a Multi-factor Authentication (MFA) status (MFA.StatusUpdate) is updated.

To implement a webhook, you must:

Create a webhook by providing the URL to the API endpoint and selecting the events you want to be notified about. Refer to Managing Webhooks.
Get the public key provided in the Kount 360 portal to verify the authenticity of the events received. Kount creates an RSA 4096 key pair. The private key is used by Kount to sign the message and the public key is available to you for verifying the signature of events that your server receives.

Note

You might also need to create an IP range allowlist so that the webhook calls are allowed into your network. Go to Create an IP Range Allowlist for more information.

Webhook Workflow

The workflow of the webhook call is as follows:

When an event with webhook support occurs in Kount 360, the system checks whether you have any webhooks configured.
If you have configured one or more webhooks, Kount 360 makes a call to notify your server of the event that occurred.
Once your server receives the HTTP request, you must use the public key that you retrieved from Kount 360 to authenticate the message.
Respond to the event according to your business needs.

Webhook Specification

The API endpoint you implement must be a REST HTTPS endpoint.

Method: POST

Headers: The request contains custom headers with a digital signature of the event.

With these headers, you can establish:

Integrity — the event has not been tampered with
Non-repudiation — the event was sent by Kount

HTTP Header	Description
X-Event-Signature	A base-64 encoded RSASSA_PSS_SHA_256 signature of the event. PKCS #1 v2.2, Section 8.1, RSA signature with PSS padding that uses SHA-256 for both the message digest and the MGF1 mask generation function that includes a 256-bit salt. Go to Verifying the Signature of the Event Message to learn how to use this value to verify the signature.
X-Event-Timestamp	An RFC3339 timestamp. Example: `2024-03-20T16:55:09.951Z`

Content-Type: application/json

Body: Go to Orders Update API Request Properties.

Request Parameters and Data Submission

Caution

If you are implementing a webhook for Chargeback Management, do not use the Channel field.

The payload depends on the event that occurs in the system.

Orders status update: This event is sent when the fraud status (approve, decline, or review) is updated. The eventType is set to Order.StatusChange and the fieldName is set to status.

sidebar. Orders Update API Request Properties

JSON Path	Field Name	Description	Type	Examples
id	Event ID	A randomly-generated UUID that identifies the event notification.	String	b567ec17-c5c7-40ad-8437-09b353efdb52
eventType	Event Type	A string containing the type of event that occurred out of the enumeration of possible events sent from Kount 360. One of the following enumerations: Order.StatusChange Order.Update	String	Order.StatusChange
apiVersion	API Version	The version of the API to indicate that your API endpoint is following the latest specification. The letter "v" followed by an integer that increments with version changes.	String	1
clientId	Client ID	The client ID that the event was generated for. This matches the client ID for your organization that is provided in the portal.	String	34510293857
orderId	Order ID	The unique identifier of the order. This allows the order to be queried and referenced in various contexts.	String	Y7VQBX8KTXW1V37Z
channel	Customer Transaction Channel	Unique identifier of the website, app, or other customer-defined division from where the order originated. Cannot match regex [><&'\"]. Maximum of 256 characters CAUTION: If you are implementing a webhook for Chargeback Management, do not use this field.	String	"ACME_IOS_APP"
merchantOrderId	Merchant Order ID	The customer-provided unique identifier for this order. Uniqueness for this property is not enforced.	String	d121ea2210434ffc8a90daff9cc97e76
orderCreationDate	Order Creation Date	An RFC 3339 date/time indicating when the order was placed.	String	2024-03-20T16:55:09.951Z
eventDate	Event Date	An RFC 3339 date/time indicating when the event occurred.	String	2024-03-21T20:44:39Z
agent	Agent properties object	An object that contains the properties associated with the user or system agent that performed the events. Note: If the event was performed by the system, not by a user, the system value is sent for the agent name. The agent email address and agent ID are not sent.	Object
agent.name	Agent Name	A string containing the name of the user or system agent that performed the events.	String	Jane Doe
agent.emailAddress	Agent Email Address	A string containing the email address of the user or system agent that performed the events.	String	jane.doe@example.com
agent.id	Agent ID	A string containing the unique identifier of the user or system agent that performed the events.	String	d121ea2210434ffc8a90daff9cc97e76
fields	Updated Fields	An array of objects representing each property that was updated in the order.	Array
fields.name	Name of Updated Field	The name of the field that was updated.	String	status
fields.oldValue	Old Field Value	The previous value of the field before the event occurred.	String	REVIEW
fields.newValue	New Field Value	The new value of the field after the event occurred.	String	APPROVED
policyManagement	Policy Management Properties	An object containing the properties of the policy set fired as part of analyzing the order.	Object
policyManagement.tags	Tags	An array of strings containing the name of the tags that were applied to this order by segments or policies that evaluated as true.	Array
policyManagement.tagWeights	Tag Weights	An array of objects containing the details of tags that were applied to this order by segments or policies that evaluated as true and each tag’s associated weight after the tags' values were fully resolved.	Array

sidebar. Orders Update API Example

Caution

If you are implementing a webhook for Chargeback Management, do not use the Channel field.

{
  "id": "f276e154-23ef-4366-933b-e1f12e159901",
  "eventType": "OrderUpdate",
  "apiVersion": "1",
  "clientId": "900900900900900",
  "orderId": "8V6CFF359HS5QQ6G",
  "channel": "MOBILE",
  "merchantOrderId": "qjlm9gvol6olejcs",
  "orderCreationDate": "2022-05-24T23:13:02Z",
  "eventDate": "2022-05-24T23:18:00Z",
  "agent": {
    "name": "Jane Doe",
    "emailAddress": "jane.doe@example.com",
    "id": "d121ea2210434ffc8a90daff9cc97e76"
  },
  "tags": [
    "risky_device",
    "unverified_location",
    "device_outsideUS"
  ],
  "tagWeights": [
    {
      "name": "risky_device",
      "weight": 110
    },
    {
      "name": "unverified_location",
      "weight": 10
    }
  ],
  "fields": [
    {
      "name": "order.decision",
      "oldValue": "REVIEW",
      "newValue": "DECLINE"
    },
    {
      "name": "order.chargeback.isChargeback",
      "oldValue": "false",
      "newValue": "true"
    },
    {
      "name": "order.chargeback.chargebackReasonCode",
      "oldValue": null,
      "newValue": "10.2"
    },
    {
      "name": "order.transaction[\"d121ea2210434ffc8a90daff9cc97e76\"].authorizationStatus.authResult",
      "oldValue": null,
      "newValue": "10.2"
    },
    {
      "name": "order.fulfillments[\"d121ea2210434ffc8a90daff9cc97e76\"].status",
      "oldValue": "SCHEDULED",
      "newValue": "FULFILLED"
    }
  ]
}

Webhook response

The webhook should return an HTTP 200 if the webhook call was successful. Any other response is considered a failure. No headers or body is expected in the response.

Verifying the Signature of the Event Message

It is the responsibility of your app to verify the signature of each webhook request.

Retrieve the webhook public key from Kount 360.
Extract the timestamp (X-Event-Timestamp) and signature (X-Event-Signature) from the request headers.
Verify that the signature timestamp is within a reasonable time frame from the current system time. For example, five minutes.
Reconstruct the signature by using base64 decoding.
Use an RSA library to verify the RSA PKCS #1 v2.2 signature. The inputs are:
1. The public key
2. SHA-256 as the hashing algorithm
3. The timestamp from the header concatenated to the body of the HTTP request (timestamp followed by the body) as the message to be verified
4. The base64 decoded signature as the signature to verify against

Webhook Handler Examples

The following examples demonstrate how to verify the signature of the event message in Go and TypeScript.

sidebar. Go event message example

package main

import (
    "crypto"
    "crypto/rsa"
    "crypto/sha256"
    "crypto/x509"
    "encoding/base64"
    "io"
    "net/http"
    "time"
)

var publicKey = getPublicKey()

const timestampGrace = 5 * time.Minute

func kount360WebhookReceiver(
    w http.ResponseWriter,
    r *http.Request,
) {
    // Validate timestamp
    timestampHeader := r.Header.Get("X-Event-Timestamp")
    timestamp, err := time.Parse(time.RFC3339, timestampHeader)
    if err != nil {
        http.Error(w, "invalid timestamp", http.StatusBadRequest)
        return
    }

    if since := time.Since(timestamp); since > timestampGrace {
        http.Error(w, "timestamp too old", http.StatusBadRequest)
        return
    } else if since < -timestampGrace {
        http.Error(w, "timestamp too new", http.StatusBadRequest)
        return
    }

    // Read body
    body, err := io.ReadAll(r.Body)
    if err != nil {
        http.Error(w, "could not read body", http.StatusInternalServerError)
        return
    }

    // Create hash
    hasher := sha256.New()
    if _, err := hasher.Write([]byte(timestampHeader)); err != nil {
        http.Error(w, "could not read body", http.StatusInternalServerError)
        return
    }    
    if _, err := hasher.Write(body); err != nil {
        http.Error(w, "could not read body", http.StatusInternalServerError)
        return
    }

    // Signature
    sig, err := base64.StdEncoding.DecodeString(r.Header.Get("X-Event-Signature"))
    if err != nil {
        panic(err)
    }

    // Verify RSA PKCS #1 v1.5 signature.
    if err := rsa.VerifyPSS(publicKey, crypto.SHA256, hasher.Sum(nil), sig, nil); err != nil {
        http.Error(w, "could not verify signature", http.StatusForbidden)
        return
    }

    // Process message
    // ...

    w.WriteHeader(http.StatusOK)
}

func getPublicKey() *rsa.PublicKey {
    decoded, err := base64.StdEncoding.DecodeString(
        "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsQr7/3peYbbHkVsS0NlU4ziIFWKjjSI8HcWRSs6QOP6ZXrLXbvcOIuEFYA5ujThLuQfo05EzvWfVSdelbLJ39QNoFfOJ2YE4hq78/8OSloOU/E68M+rrFrxdS1QohsEuzoKD+9hyD2/3JE3vHpi82CjF1msVn9/fBDhYWvWQIOo16N435Wdfl62UZlAun+4TXYxUi+C2s67f58yPQN1uLEL+fa1L05TASqjINh0qjGIaz74g8lT05h/iDzPuTVGofFgTXUZh1yqA9p2P3I3UrK/jLv+aPkCpkwZltZVx99mk8uNVj4exlRC5kACQhvAbLgxiepmZR5XYyNJq1FPLsZuC27g1Squd7LL3Kdbv2tl4mjFG6P1FJwvve6qFVTq7cujEmq9yhfz16d7BPoT1+msZvoc22E7gTkuaW4cnckn7sbioA99zADcdb7OjzEuPd8NqGGD2Ldjg6eese8LF320XQ6jAc4dXcr6ZxVSSQyyI/qTlfi/3OoK7gSrGJT1MGZiohxx9kjt5z/G9fNoMlrQ/yJyLrTZxnlT+MVOsNtFYLZAV0XwVYQZ0a7PQ8hR4wwJxhfK84CcVUON+v4+vrj9bBDZH+boNIUFVDlpMiPjixunSs8FS9DfJ6UnG2YrlbHThgDmmZHj6sY/SUp4mcblBqGQwtxoTkCQqcJQxvAkCAwEAAQ==",
    )
    if err != nil {
        panic(err)
    }
    parsed, err := x509.ParsePKIXPublicKey(decoded)
    if err != nil {
        panic(err)
    }
    key, ok := parsed.(*rsa.PublicKey)
    if !ok {
        panic("could not typecast to rsa.PublicKey")
    }
    return key
}

sidebar. TypeScript event message example

import crypto from "crypto";
import express, { Request, Response } from "express";

const app = express();

const publicKeyBase64 = `MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsQr7/3peYbbHkVsS0NlU4ziIFWKjjSI8HcWRSs6QOP6ZXrLXbvcOIuEFYA5ujThLuQfo05EzvWfVSdelbLJ39QNoFfOJ2YE4hq78/8OSloOU/E68M+rrFrxdS1QohsEuzoKD+9hyD2/3JE3vHpi82CjF1msVn9/fBDhYWvWQIOo16N435Wdfl62UZlAun+4TXYxUi+C2s67f58yPQN1uLEL+fa1L05TASqjINh0qjGIaz74g8lT05h/iDzPuTVGofFgTXUZh1yqA9p2P3I3UrK/jLv+aPkCpkwZltZVx99mk8uNVj4exlRC5kACQhvAbLgxiepmZR5XYyNJq1FPLsZuC27g1Squd7LL3Kdbv2tl4mjFG6P1FJwvve6qFVTq7cujEmq9yhfz16d7BPoT1+msZvoc22E7gTkuaW4cnckn7sbioA99zADcdb7OjzEuPd8NqGGD2Ldjg6eese8LF320XQ6jAc4dXcr6ZxVSSQyyI/qTlfi/3OoK7gSrGJT1MGZiohxx9kjt5z/G9fNoMlrQ/yJyLrTZxnlT+MVOsNtFYLZAV0XwVYQZ0a7PQ8hR4wwJxhfK84CcVUON+v4+vrj9bBDZH+boNIUFVDlpMiPjixunSs8FS9DfJ6UnG2YrlbHThgDmmZHj6sY/SUp4mcblBqGQwtxoTkCQqcJQxvAkCAwEAAQ==`;
const publicKey = crypto.createPublicKey({
  key: Buffer.from(publicKeyBase64, "base64"),
  format: "der",
  type: "spki",
});

const timestampGrace = 5 * 60 * 1000; // 5 minutes in milliseconds

app.post("/webhook", (req: Request, res: Response) => {
  const timestampHeader = req.headers["x-event-timestamp"] as string;
  const signatureBase64 = req.headers["x-event-signature"] as string;
  if (!timestampHeader || !signatureBase64) {
    return res.status(400).send("Missing headers");
  }

  const timestamp = new Date(timestampHeader);
  const now = new Date();
  if (
    isNaN(timestamp.getTime()) ||
    now.getTime() - timestamp.getTime() > timestampGrace ||
    timestamp.getTime() - now.getTime() > timestampGrace
  ) {
    return res.status(400).send("Invalid timestamp");
  }

  const verifier = crypto.createVerify("RSA-SHA256");
  verifier.update(timestampHeader);
  verifier.update(JSON.stringify(req.body));
  const signature = Buffer.from(signatureBase64, "base64");

  if (!verifier.verify(publicKey, signature)) {
    return res.status(403).send("Could not verify signature");
  }

  // Process the valid webhook payload
  // ...

  res.sendStatus(200);
});

Create an IP Range Allowlist

You might need to create an allowlist (formerly known as a whitelist) for webhooks to function properly on your network. Use the following IP address ranges (CIDR blocks) to create the list.

216.46.107.20/30
216.46.107.24/30
165.183.168.12/30
165.183.168.20/30
147.146.254.192/27
147.146.254.224/27
147.146.254.32/28
147.146.254.48/28

If you have any issues with the CIDR blocks, you can download a CSV file that contains a complete list of the IP addresses necessary for the allowlist.

2 KB Download

Was this article helpful?

0 out of 4 found this helpful