Webhooks

In this guide, we will look at how to register and consume webhooks to integrate your app with Aurora Credit. With webhooks, your app can know when something happens in Aurora Credit, such as someone sending a message or adding a contact.

Registering webhooks

Now, whenever something of interest happens in your app, a webhook is fired off by Aurora Credit. In the next section, we'll look at how to consume webhooks.

Consuming webhooks

When your app receives a webhook request from Aurora Credit, check the type attribute to see what event caused it. The first part of the event type will tell you the payload type, e.g., a conversation, message, etc.

Example webhook payload

{
  "id": "a056V7R7NmNRjl70",
  "type": "application.evaluation.completed",
  "timestamp": 1717743189000,
  "payload": {
    "flowId": "0123456789abcdef",
    "nationalId": "12345678903"
  }
}

In the example above, a credit flow was updated, and the payload type is a application.evaluation.completed.

See all event types

Event types

  • Name
    credit.started
    Description

    A new credit process was started.

  • Name
    application-evaluation.completed
    Description

    Event indicating the completion of the application evaluation.

  • Name
    kyc-evaluation.completed
    Description

    Event signaling the completion of KYC/AML evaluation.

  • Name
    credit-evaluation.completed
    Description

    Event indicating the completion of the credit evaluation.

  • Name
    credit.rejected.automatic
    Description

    Event triggered when credit is automatically rejected.

  • Name
    credit-decision.appealed
    Description

    Event triggered when customer appeals an automatic(machine) credit decision.

  • Name
    credit-decision.appeal.accepted
    Description

    Event triggered when case worker accepts an appeal

  • Name
    credit-decision.appeal.rejected
    Description

    Event triggered when case worker rejects an appeal

  • Name
    credit.approved.automatic
    Description
    Event triggered when credit is automatically approved.
  • Name
    credit.manual-handling.started
    Description
    Event indicating that credit requires manual handling.
  • Name
    credit.rejected.manually
    Description
    Event triggered when credit is manually rejected.
  • Name
    credit.approved.manually
    Description
    Event triggered when credit is manually approved.
  • Name
    credit.ended
    Description
    Event signaling the end of the credit process.
  • Name
    manual-handling.additional-information.requested
    Description
    Event triggered when case worker requests additional information from customer.
  • Name
    manual-handling.additional-information.received
    Description
    Event triggered when customer responds to additional information request.

Example event

{
    "id": "a056V7R7NmNRjl70",
    "type": "credit.approved.automatic",
    "payload": {
    "flowId": "0123456789abcdef",
    "nationalId": "12345678903"
    // ...
}
}

Security

To know for sure that a webhook was, in fact, sent by Aurora Credit instead of a malicious actor, you can verify the request signature. Each webhook request contains a header named x-stacc-kredittmodulen-signature, and you can verify this signature by using your secret webhook key. The signature is an HMAC hash of the request payload hashed using your secret key. Here is an example of how to verify the signature in your app:

Verifying a request

const signature = req.headers['x-stacc-Aurora Credit-signature']
const hash = crypto.createHmac('sha256', secret).update(payload).digest('hex')

if (hash === signature) {
// Request is verified
} else {
// Request could not be verified
}

If your generated signature matches the x-stacc-Aurora Credit-signature header, you can be sure that the request was truly coming from Stacc. It's essential to keep your secret webhook key safe — otherwise, you can no longer be sure that a given webhook was sent by Stacc. Don't commit your secret webhook key to git!

Was this page helpful?