Skip to main content
POST
/
v1
/
webhooks
Create a webhook subscription
curl --request POST \
  --url https://api.antonpayments.com/v1/webhooks \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'DPoP: <api-key>' \
  --data '
{
  "url": "https://example.com/webhooks/anton",
  "events": [],
  "metadata": {}
}
'
{
  "id": "wbh_01HX8Z9K0M2N3P4Q5R6S7T8UW",
  "merchant_id": "<string>",
  "url": "<string>",
  "events": [],
  "version": "2024-01-01",
  "created_at": "2026-04-15T14:30:00Z",
  "updated_at": "2026-04-15T14:30:00Z",
  "metadata": {},
  "secret": "whsec_0a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef"
}

Documentation Index

Fetch the complete documentation index at: https://docs.antonpayments.com/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

OAuth 2.0 client_credentials grant (RFC 6749 §4.4) bound to a DPoP keypair (RFC 9449).

Flow (every authenticated /v1 call requires both an access token AND a fresh per-request DPoP proof):

  1. Register a credential via the merchant portal. Anton issues a client_id (ant_oc_<env>_<32hex>) and a client_secret (ant_ocs_<env>_<48hex>, shown ONCE). The portal generates an ES256 or Ed25519 DPoP keypair in your browser; you store the private half.
  2. Mint an access token: POST /oauth/token with Authorization: Basic <client_id:client_secret> and Content-Type: application/x-www-form-urlencoded. Body: grant_type=client_credentials. A DPoP header carrying a proof signed for the token endpoint is required (no ath claim on this proof).
  3. Use the token: send Authorization: DPoP <access_token> plus a fresh DPoP: <proof> header on every /v1 request. The proof JWT MUST carry htm (request method), htu (request URL, no query/fragment), iat (within ±60s), jti (unique within 5 min), and ath (SHA-256 of the access token, base64url).

Tokens expire in 1 hour in production / staging and 8 hours in sandbox. There are no refresh tokens — call /oauth/token again with your secret. Anton's public signing key is published at /.well-known/jwks.json.

OpenAPI 3.0 has no native DPoP scheme; this declaration plus dpopHeader together convey both the access-token Authorization and the per-request proof header.

DPoP
string
header
required

Per-request DPoP proof JWT (RFC 9449). MUST accompany the Authorization: DPoP <access_token> header on every protected operation. The proof is signed by the merchant's private DPoP key and carries htm, htu, iat, jti, and ath claims.

Body

application/json
url
string<uri>
required

HTTPS URL that will receive deliveries.

Example:

"https://example.com/webhooks/anton"

events
enum<string>[]
required

Event types this subscription should receive. Use ["*"] to subscribe to everything.

See Webhook Events for the full catalog and payload shapes. Some reserved event types (balance.low on some paths) may be defined but not yet dispatched — subscribing to them is safe but no deliveries arrive until they're wired up.

Available options:
payout.created,
payout.approved,
payout.processing,
payout.sent,
payout.completed,
payout.failed,
payout.cancelled,
payout.returned,
payout.screening_failed,
payout.velocity_blocked,
beneficiary.created,
beneficiary.updated,
beneficiary.deleted,
beneficiary.blocked,
instrument.created,
instrument.updated,
instrument.deleted,
batch.uploaded,
batch.completed,
batch.failed,
fx.quote.created,
fx.exchange.created,
fx.exchange.completed,
fx.exchange.failed,
funding.credit,
screening.hit,
balance.low,
test
metadata
object

Response

Subscription created. Includes the one-time signing secret.

A registered webhook endpoint and its event filter.

id
string
required
Pattern: ^wbh_[a-zA-Z0-9]+$
Example:

"wbh_01HX8Z9K0M2N3P4Q5R6S7T8UW"

merchant_id
string
required
Pattern: ^mer_[a-zA-Z0-9]+$
url
string<uri>
required
events
enum<string>[]
required

See Webhook Events for the full catalog and payload shapes. Some reserved event types (balance.low on some paths) may be defined but not yet dispatched — subscribing to them is safe but no deliveries arrive until they're wired up.

Available options:
payout.created,
payout.approved,
payout.processing,
payout.sent,
payout.completed,
payout.failed,
payout.cancelled,
payout.returned,
payout.screening_failed,
payout.velocity_blocked,
beneficiary.created,
beneficiary.updated,
beneficiary.deleted,
beneficiary.blocked,
instrument.created,
instrument.updated,
instrument.deleted,
batch.uploaded,
batch.completed,
batch.failed,
fx.quote.created,
fx.exchange.created,
fx.exchange.completed,
fx.exchange.failed,
funding.credit,
screening.hit,
balance.low,
test
status
enum<string>
required
Available options:
active,
inactive
version
string
required

API version this subscription pins to.

Example:

"2024-01-01"

created_at
string<date-time>
required

RFC 3339 / ISO 8601 timestamp in UTC.

Example:

"2026-04-15T14:30:00Z"

updated_at
string<date-time>
required

RFC 3339 / ISO 8601 timestamp in UTC.

Example:

"2026-04-15T14:30:00Z"

metadata
object
secret
string

Signing secret (whsec_ + 64 hex). Shown once — store it now.

Example:

"whsec_0a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef"