Subscribing to Webhooks Using OAuth
This section describes the API request used to subscribe to a webhook using OAuth. You can only
subscribe to one webhook per API request.
To request the service, use the endpoint specified below. After you send the request, check the
response message to verify that the request was successful. A 200-level response code
indicates success.
For information about response
codes, see
Transaction Response
Codes
.Endpoint
- Test:POSTapitest.cybersource.com/notification-subscriptions/v1/webhooks
- Production:POSTapi.cybersource.com/notification-subscriptions/v1/webhooks
- Production in India:POST api.in.cybersource.com/notification-subscriptions/v1/webhooks
Required Fields for Subscribing to Webhooks Using OAuth
-
eventType
-
healthCheckUrl
-
Required in order to auto-activate the subscription. The URL must use port number 8443 or 443. If you do not send this field, the subscription will be created but not activated. To activate it later, you must send a PATCH request that includes a health check URL. An inactive subscription will not send notifications. For more information, see Health Check URL.
-
organizationId
-
productId
-
For a list of product and event types, see Product and Event Types.
-
securityPolicy.config.oAuthTokenExpiry
-
securityPolicy.config.oAuthTokenType
-
Set the value toBearer
-
securityPolicy.config.oAuthUrl
-
securityPolicy.securityType
-
Set the value tooAuth.
-
webhookUrl
-
The URL must use port number 8443 or 443.
Optional Fields for Subscribing to Webhooks Using OAuth
-
name
-
description
-
healthCheckUrl
-
This field is not required in order to create a subscription, but it is required in order to activate it. If you do not send this field during subscription, the subscription is created but not activated. To activate it later, you must send a PATCH request that includes a health check URL. An inactive subscription does not send notifications. For more information, see Health Check URL.
-
notificationScope.scope
-
For more information, see Notification Scope.
-
notificationScope.scopeData
-
Required if you submit thenotificationScope.scopefield. All organizations subscribing to the webhook must be listed in the value, separated by commas.
-
retryPolicy.deactivateFlag
-
See Retry Policy.
-
retryPolicy.firstRetry
-
See Retry Policy.
-
retryPolicy.interval
-
See Retry Policy.
-
retryPolicy.numberOfRetries
-
See Retry Policy.
-
retryPolicy.repeatSequenceCount
-
See Retry Policy.
-
retryPolicy.repeatSequenceWaitTime
-
See Retry Policy.
Example: Creating a Webhook Subscription Using OAuth
{ "name": "Terminal Management Webhook", "description": "Notification of assignment updates", "organizationId": "org1", "productId": "terminalManagement", "eventTypes": [ "terminalManagement.assignment.update" ], "webhookUrl": "https://mywebhookserver.com:8443/simulateclient", "healthCheckUrl": "https://mywebhookserver.com:8443/simulateclienthealthcheck", "notificationScope": "SELF", "securityPolicy": { "securityType": "oAuth", "config": { "oAuthTokenExpiry": "365", "oAuthURL": "https://mywebhookserver.com/oauthtoken", "oAuthTokjava.io.PrintWriter@72350ab0 enType": "Bearer" } } }
{ "organizationId" : "org1", "productId" : "terminalManagement", "eventTypes" : [ "terminalManagement.assignment.update" ], "webhookId" : "d7399cb6-ff9f-72d9-e053-3cb8d30a62ee", "webhookUrl" : "https://mywebhookserver.com/simulateclient", "healthCheckUrl" : "https://mywebhookserver.com/simulateclient/healthcheck", "createdOn" : "2022-02-04T22:17:43.045Z", "status" : "INACTIVE", "retryPolicy" : { "algorithm" : "ARITHMETIC", "firstRetry" : "1", "interval" : "1", "numberOfRetries" : "3", "deactivateFlag" : "false", "repeatSequenceCount" : "0", "repeatSequenceWaitTime" : "0" }, "securityPolicy" : { "securityType" : "oAuth", "proxyType" : "internal", "digitalSignatureEnabled" : "yes", "config" : { "oAuthTokenExpiry" : "300, "oAuthURL" : "https://myoauthserver.com/simulator/v1/token", "oAuthTokenType" : "Bearer" } }, "version" : "3", "notificationScope" : "SELF" }
Notification Scope
The value of the
notificationScope.scope
field determines which organizations receive the notification. This field can take any of these values:
-
SELF
-
Subscribes to event notifications for only the organization requesting the webhook subscription.
-
DESCENDENTS
-
Subscribes to event notifications for all child organizations of the requesting organization.
-
CUSTOM
-
Subscribes to event notificationsjava.io.PrintWriter@6a375201 for organizations listed in thenotificationScope.scopeDataarray. Organizations must be separated by commas.
Health Check URL
When you subscribe to a webhook, it is recommended that you include a health check URL. While it is not required to create a subscription, the subscription is not activated until a health check URL is added to the subscription.
If
deactivateflag=true
was set in the subscription request and your webhook URL or health check URL become unresponsive, any new notifications will be held and their respective subscriptions will have a status of
SUSPENDED
. When the URLs becomes responsive, your subscriptions will return to a status of
ACTIVE
and notifications will resume.
Providing a health check URL for each webhook implements two features: suspend and resume and automatic activation.
Suspend and Resume
The webhook delivery framework can detect when a webhook URL is unavailable and suspend the delivery of notifications. When your webhook URL is available, the webhook framework resumes delivery of webhook notifications, ensuring that there are no missed notifications. To implement this feature, you must include the
healthCheckurl
field when you send the API request that creates the webhook subscription. For more information, see Set Up Webhooks.
Subscription Status
A subscription can have one of three statuses:
-
ACTIVE
-
The subscription is ready to send notifications or is actively sending notifications.
-
INACTIVE
-
The subscription has not been activated. Add a health check URL to activate. See Health Check URL.
-
SUSPENDED
-
The subscription was active, but the webhook URL or the health check URL became unreachable. When the URL becomes reachable, the status changes toACTIVEand notifications resume.
Product and Event Types
When you send an API request to create a webhooks subscription, you must include the product and its associated events to which you are subscribing. You can include only one product per API request, so you must send separate requests for each product and its associated events. Each time one of the listed events occurs, you receive a notification. If a product is not yet available, you receive the notifications when it becomes available. To obtain a list of products to which you can subscribe, see the Requesting a List of Products and Events topic for the applicable Webhooks subscription workflow.
To create a webhooks subscription, set the
productId
field to a value listed in the product ID column, and set the
eventTypes
field array to a value or values listed in the event types column. These are the supported products and events and their respective
productId
and
eventTypes
field values:
Product ID
|
Event Types
|
Description
|
---|---|---|
alternativePaymentMethods
|
payments.payments.updated
|
Notifies you that an alternative payment transaction's status has been updated.
|
Product ID
|
Event Types
|
Description
|
---|---|---|
decisionManager
|
risk.casemanagement.decision.accept
|
Notifies you that a
Decision Manager
case has been accepted.
|
risk.casemanagement.decision.reject
|
Notifies you that a
Decision Manager
case has been rejected.
|
|
risk.profile.decision.reject
|
Notifies you of a profile decision to reject a transaction.
|
|
risk.casemanagement.addnote
|
Notifies you that a note has been added to a
Decision Manager
case.
|
Product ID
|
Event Types
|
Description
|
---|---|---|
fraudManagementEssentials
|
risk.casemanagement.decision.accept
|
Notifies you that a
Fraud Management Essentials
case has been accepted.
|
risk.casemanagement.addnote
|
Notifies you that a note has been added to a
Fraud Management Essentials
case.
|
|
risk.profile.decision.reject
|
Notifies you that a transaction was rejected.
|
|
risk.casemanagement.decision.reject
|
Notifies you that a
Fraud Management Essentials
case has been rejected.
|
|
risk.profile.decision.monitor
|
Notifies you of a profile decision to monitor a transaction.
|
|
risk.profile.decision.review
|
Notifies you of a profile decision to review a transaction.
|
Product ID
|
Event Types
|
Description
|
---|---|---|
customerInvoicing
|
invoicing.customer.invoice.send
|
Notifies you that an invoice has been sent.
|
invoicing.customer.invoice.cancel
|
Notifies you that an invoice has been cancelled.
|
|
invoicing.customer.invoice.paid
|
Notifies you that an invoice has been paid.
|
|
invoicing.customer.invoice.partial-payment
|
Notifies you that an invoice has been partially paid.
|
Product ID
|
Event Types
|
Description
|
---|---|---|
cns
|
cns.report.keyExpiration.detail
|
Notifies you that a key is expiring.
|
Product ID
|
Event Types
|
Description
|
---|---|---|
recurringBilling
|
rbs.subscriptions.charge.failed
|
Notifies you of a recurring payment failure.
|
rbs.subscriptions.charge.pre-notified
|
Notifies you of an upcoming recurring payment.
|
|
rbs.subscriptions.charge.created
|
Notifies you of successful recurring payment.
|
Product ID
|
Event Types
|
Description
|
---|---|---|
tokenManagement
|
tms.networktoken.updated
|
Notifies you of a network token's change in expiration date or status (suspend, resume, or deactivate).
|
tms.networktoken.provisioned
|
Notifies you when a network token provision for an instrument identifier token has been successful.
|
Example: Product and Events in a Webhook Subscription
"productId": "tokenManagement", "eventTypes": [ "tms.networktoken.provisioned", "tms.networktoken.updated", "tms.token.pan_updated", "tms.token.created", "tms.token.updated" ]