Sandbox
  • Production
  • Sandbox
  1. API
Sandbox
  • Production
  • Sandbox
  • API
    • Getting Started
    • Idempotent Requests
    • Webhook
    • Authentication
      • Get Token
    • Merchant Management
      • Create Merchant
      • Create Merchant(new)
      • Update Merchant
      • Update Merchant(new)
      • Get Merchant
      • Get Merchant(new)
      • Merchant Status Webhook
      • Merchant Status Webhook(new)
    • Fiat Payment
      • Bank Account Management
        • Create Fiat Account Application
        • Get Fiat Account Application Status
        • Get Deposit Bank Account
        • Add Bank Account
        • Get Bank Accounts
        • Fiat Account Application Status Webhook
      • Fiat Withdrawal
        • Create Fiat Withdrawal
        • Get Fiat Withdrawal History
        • Get Fiat Withdrawal Detail
        • Get List of Currencies that Supports Same-Name Withdrawal
        • Fiat Withdrawal Webhook
      • Fiat Deposit
        • Get Fiat Deposit Detail
        • Get Fiat Deposit History
        • Fiat Deposit Webhook
    • Crypto Payment
      • Crypto Checkout
        • Create Crypto Checkout
        • Create Crypto Checkout Link
        • Crypto Checkout Wallet Connection
        • Generate POS Payment Request
        • Close Crypto Checkout
        • Get Convertible Cryptos
        • Get Crypto Checkout
        • Get Crypto Checkout Link
        • Get Crypto Checkout Currencies
        • Crypto Checkout Webhook
      • Crypto Deposit
        • Update Crypto Deposit Travel Rule Info
        • Get Crypto Deposit Wallet
        • Get Crypto Deposit Wallet(new)
        • Get Crypto Deposit
        • Get Crypto Deposit History
        • Get Crypto Deposit History(new)
        • Crypto Deposit Webhook (new)
      • Crypto Withdrawal
        • Register Wallet Address
        • Remove Wallet Address
        • Create Crypto Withdrawal
        • Get Wallet Address
        • Get Crypto Withdrawal
        • Get Crypto Withdrawal History
        • Crypto Withdrawal Webhook
        • Get Crypto Withdrawal History (new)
      • Crypto Collection
        • Buyer Management
          • Create Buyer
          • Get Buyer
          • Update Buyer
          • Buyer Status Webhook
        • Create Collection Wallet
        • Update Collection Wallet
        • Get Collection Wallet
        • Get Crypto Collection
        • Crypto Collection Wallet Webhook
        • Crypto Collection Webhook
        • Update Co-KYT status
      • Crypto Refund
        • Create Crypto Refund
        • Confirm Crypto Refund
        • Get Crypto Refund
        • Crypto Refund Webhook
      • Currency & Blockchain
        • Get Supported Blockchains
    • Conversion
      • Create Quotation
      • Create Conversion
      • Get Quotation
      • Get Conversion
      • Conversion Webhook
    • Settlement
      • (Deprecated) Get Settlement Statement
    • Tool
      • Upload File
    • Account Management
      • Get Balance
      • Get Balance (new)
      • Internal Transfer
      • Get Internal Transfer
      • (deprecated) Get Statement
    • VA+POBO(V2)
      • Bank Account Management
        • Get Fiat Account Capabilities
        • Create Fiat Account Request
        • Submit Additional Information for Fiat Account Request
        • Fiat Account Request Status Webhook
        • Fiat Account/Onboarding Full Fields Specification
      • Withdrawal
        • Get Same Name Withdrawal Capabilities
        • Activate Same Name Withdrawal
        • Submit Additional Information for Activating Same Name Withdrawal
        • Activate Same Name Withdrawal Webhook
        • Create Fiat Withdrawal
        • Submit Additional Information for Fiat Withdrawal Request
        • Get Fiat Withdrawal Detail
        • Get Fiat Withdrawal History
        • Fiat Withdrawal Webhook
        • Same Name Payout Full Fields Specification
  1. API

Webhook

Introduction#

You can configure webhooks to monitor events on your account, enabling your system to receive notifications.
CAMP relies on webhooks to notify you whenever an event occurred on your account, such as the completion of transactions. This is useful for handling asynchronous operation in real time.
To use webhooks with your CAMP integration:
1.
Create a webhook endpoint in your system.
2.
Configure the webhook endpoint on the API Integration page. For details, please refer to the Account Setup page.
3.
Simulate an event to test your webhook endpoint.
4.
Implement validation of webhook signatures. (Optional)

Webhook Retry Logic#

To acknowledge receipt of an event, your endpoint must return a 2xx HTTP status code to CAMP and the response format should be application/json. Otherwise CAMP will assume the event was not received and it will retry the webhook for up to 24 hours using an exponential backoff strategy.

Webhook Verification#

About verifying webhook#

Once your system is configured to receive payloads, it will listen for any delivery that is sent to the configured endpoint. To ensure that your system only processess webhook deliveries that were sent by CAMP and ensure that the delivery was not tampered, you should verify the webhook signature before processing them.

To verify webhook signature#

There will be X-Signature header included in all webhooks that contains a timestamp and a signature that you need to verify. The timestamp has a t= prefix, and signature has a v0= prefix.
X-Signature: 
t=1758867971711,
v0=b2468f1bc285eb64be242ee6d02e3c959dfb61482abe47ddb50da4b6be55997e

Steps to verify webhook signature#

Step 1: Get the webhook secret#

Login CAMP platform, and get the Webhook Secret in the API Integration page.
image.png

Step 2: Extract timestamp and signature#

Split the header using , character as the delimiter and get the values for timestamp t and signature v0.

Step 3: Prepare the signed_message string#

Concatenate the timestamp and webhookData from the request body, separated by a _ character to form the signed_message.

Step 4: Compute the expected signature#

Use the secret key as private key and use hash-based message authentication code (HMAC) with SHA-256 algorithm to encrypt the signed_message to generate the expected signature.

Step 5: Compare the signature#

Compare the signature in the webhook request payload with the expected signature.

Preventing replay attacks#

To prevent replay attacks, you may like to check the timestamp t against the current time and reject events that are too old. It is recommended to have a tolerance of 3 minutes between the timestamp and current time.
Modified at 2025-12-25 14:08:33
Previous
Idempotent Requests
Next
Get Token
Built with