Skip to main content

Webhooks

MX provides webhooks that send HTTPS POST callback requests to the URL of your choice. This enables you to subscribe to certain events, be notified when those events occur, and have information related to events delivered to you. If you are subscribed to multiple events, a different URL can be configured for each event.

You can set up and configure webhooks on the client dashboard.

Features

The current version of MX webhooks has the following features:

  • Webhooks are delivered via RESTful HTTPS requests to your listening service;
  • Webhooks are triggered when a qualifying event occurs in the MX system;
  • Webhooks can make requests to any specified URL;
    • Configuration for this is done offline, out of band;
  • Each POST request includes a JSON-formatted payload;
  • The frequency of request retries diminishes over the course of approximately 24 hours, with no more than 12 total retries after an initial request.

Best Practices

  • Immediate Response to Webhook Requests: It's crucial to respond promptly to webhook requests, whether with a success or error code, to prevent resource tie-ups for both your system and MX.
  • Success Response Handling: Upon successful receipt of the webhook, promptly send a 204 No Content response. This avoids unnecessary resource consumption, crucial for preventing delays in payload processing on both systems.
  • Error Response Handling: Only issue error codes when the webhook wasn’t successfully received. MX payloads may contain null values or include unexpected new fields. If your systems encounter difficulty parsing such situations, issuing an error code won't resolve the problem as MX will resend the same unexpected payload, resulting in the same error.
  • Payload Processing Resilience: Design your webhook payload processing to be resilient to changes. While existing fields won’t be removed, new fields may be added, and the order of fields isn't guaranteed.
  • Queueing Mechanism for Processing: Put every webhook you receive into an internal queue for processing. This help you process requests as quickly as your system allows and lets you have your own error retry queue for internal errors. Any webhooks that your system can’t process should be placed in a separate list for examination, where you can log and resolve any errors.
  • Handling Duplicate Webhooks: If you receive a duplicate webhook for a single event, log every event you process and don’t process any event that has already been logged. This practice helps prevent future occurrences of duplicate events.

Changes to Expected Payloads

MX will not remove fields from a webhook payload without a major version change. However, fields may be added to a webhook payload at any time. You should allow for this and should assume neither a fixed set of fields nor a fixed ordering of fields. Any processing should allow for these changes.

Many fields can also return a null value. You should account for this when handling the webhook payload.

Date and Time Formats

Date and time fields are supported in either Unix Epoch time (no milliseconds), or in ISO 8601 with no timestamp (YYYY-MM-DD).

  • Fields ending in _at are Unix Epoch time (no milliseconds), e.g. 1504224000.
  • Fields ending in _on are ISO 8601 (no timestamp), e.g. 2017-09-01.

Error Handling

MX checks the status code you send in your response and takes appropriate action based on that. MX will retry a webhook for all status codes outside of the successful 200 range listed above. This could be a connection timeout, write timeout, read timeout, DNS error, etc. Because of this, it's important that you respond to each webhook request as soon as possible, whether with a success code or an error code. Delays tie up resources for both you and MX.

Retries always contain a payload identical to the initial request. This means it's very important that you only send error codes in situations where retrying the webhook will be beneficial, and not in cases where sending the same payload will result in the same error. In cases where the same error will occur, you should return a success status code to MX and put the request into their own internal retry queue, or log the error internally for investigation. In other words, error codes should only be returned when the webhook was not successfully received.

For example, MX payloads may contain null values, and may include new fields you don't expect. If your systems can't parse these situations, sending an error code will not help because MX will respond by sending the exact same unexpected payload, resulting in the same error.

The most common error codes are within the 500 range (something went wrong on the receiving end) that prevent you from receiving the webhook. A 400-level error should only be returned in cases where a payload is truly invalid, such as if it contains invalid JSON, but not in situations where you can't process the payload for some internal reason.

Successful Status Codes

  • 200 OK
  • 201 CREATED
  • 202 ACCEPTED
  • 203 NON_AUTHORITATIVE_INFORMATION
  • 204 NO_CONTENT
  • 205 RESET_CONTENT
  • 206 PARTIAL_CONTENT

Duplicate Webhooks

If you receive a duplicate webhook for a single event, log every event you process and don’t process any event that has already been logged to avoid this in the future. For true duplicate events that you don’t want to process on your end because they've' already been logged, you must still send a success code to us. Otherwise, we'll continue to retry sending the duplicate event. If this does not solve duplicate events, you may be handling errors incorrectly.

Fields Ending in _set_by

Fields ending in _set_by indicate the source of the data for the associated field. Possible values are as follows.

ValueDefinition
FEEDThe data source was the MX data feed.
USERThe data source was the user.
SYSTEMThe data source was the MX system.

Retries

MX webhooks will automatically retry a request in the case of a failed delivery such as a connection timeout, write timeout, read timeout, DNS error, etc.

Retry attempts will contain the same payload as the original request. Retry attempts follow a pattern of incrementally decreasing in frequency with each attempt. You can expect to see a number of retries within the first hour of the initial attempt and then gradually these retry attempts will become less and less frequent. Retry attempts have an element of randomness to them in order to avoid having a flood of retry requests be sent to your system all at once.

If the webhook cannot be successfully delivered after 12 successive retries, it will not be delivered.

Example Retry Schedule

info

This schedule is only an example and is not exact.

Retry NumberTime Elapsed Since Initial Attempt
10h 0m 30s
20h 1m 16s
30h 2m 32s
40h 5m 8s
50h 10m 54s
60h 23m 4s
70h 46m 40s
81h 28m 56s
92h 39m 42s
104h 31m 48s
117h 21m 28s
1211h 28m 44s

Security

All webhook requests are encrypted by default. However, MX recommends using an additional layer of security as well. One or more of the following are typical.

HTTP Basic Authorization

Provide MX with a username and password for making basic HTTP requests to your chosen URL.

Mutual Certificate Authentication

In order to set up mutual authentication, MX will generate a Certificate Signing Request (CSR) for you. You'll first need to provide MX with the following information:

  • Common Name
  • Organization
  • Department
  • City
  • State/Province
  • Country
  • Key Size: MX uses the recommended size of RSA 2048.

Use this CSR to purchase a certificate, and then send it to MX. This certificate will be used to authenticate requests originating from MX.

OAuth 2 Access Token Authentication (Client Credentials)

To secure webhooks with OAuth access tokens, provide MX with an ID and secret to be used for basic authorization. MX will use these to make a request to your token endpoint to generate a new access token using the client_credentials grant type. This token will then be used to make requests to your webhook URL until the token expires. MX then repeats the process.

MX can configure our token requests to send the grant type in either the body or the query string.

Grant Type In Query Sting

Request
Response
Language:shell

_10
POST /token?grant_type=client_credentials HTTP/1.1
_10
Host: server.example.com
_10
Authorization: Basic YWNtZTo4NTdkM2Y1YWU0ZWNhNjUy
_10
Accept: */*
_10
Content-Length: 0
_10
Date: Tue, 25 Oct 2022 18:38:10 GMT
_10
User-Agent: HTTPClient/1.0 (2.8.3, ruby 2.6.8 (2022-06-27))

Grant Type In Body

Request
Response
Language:shell

_10
POST /token HTTP/1.1
_10
Host: server.example.com
_10
Authorization: Basic YWNtZTo4NTdkM2Y1YWU0ZWNhNjUy
_10
Accept: application/json
_10
Content-Length: 29
_10
Content-Type: application/x-www-form-urlencoded
_10
Date: Tue, 25 Oct 2022 18:35:13 GMT
_10
User-Agent: HTTPClient/1.0 (2.8.3, ruby 2.6.8 (2022-06-27))
_10
_10
grant_type=client_credentials

Testing

To test an existing webhook, please visit your webhook profile on the client dashboard.

Webhooks can be tested in two ways.

First, simple test webhooks can be generated from your dashboard for a limited number of webhook types. These contain dummy data and aren't strictly part of your integration. But they will allow you to confirm that the URL and security settings you've chosen in the dashboard are working as expected.

Second, MX can generate special test webhooks at your request. These are tied to your particular integration and can be generated for any webhook type you are subscribed to. The payload of a special test webhook will have its action field set to test and includes a field indicating the type of webhook being tested, as shown in the example.

MX-Generated Test Payload


_10
{
_10
"action": "test",
_10
"account": {},
_10
"version": 1
_10
}

Available Webhooks

For Platform API clients, only the aggregation, balance, connection status, history, insights, and statements webhooks are available.

For other clients, any of the listed webhooks may be available depending on your specific integration details.

On this page