When creating a managed account, you can set the webhook_url parameter to get updates on the managed account send to your server as HTTP POST requests.

Webhook types

user.created: Managed account created
user.identity.submitted: Managed account identity documentation submitted
user.identity.approved: Managed account identity documentation approved by OpenNode
user.identity.retry: Managed account identity documentation needs to be resent
user.identity.rejected: Managed account identity documentation rejected

Example webhook

{
  "type": "user.created",
  "user": {
    "id": "RD",
    "name": "Test 123",
    "email": "[email protected]",
    "currency": "USD",
    "is_business": false,
    "residence": "US",
    "underpayment_threshold": 0,
    "split_to_btc_bps": 0,
    "auto_settle": 0,
    "kyc_status": "approved"
  },
  "signature": "b8226907af5d6c5e867df47f29efdb94e9ac143ac072c18741ca7349788749cb"
}

Validating signature

Validate that the webhook was sent by OpenNode by computing an HMACwith the SHA256 hash function. Use the API key used to create the managed account as the key, and the user.id as the message.

import crypto from 'crypto';

const webhook = {
  "type": "user.created",
  "user": {
    "id": "RD",
    "name": "Test 123",
    "email": "[email protected]",
    "currency": "USD",
    "is_business": false,
    "residence": "US",
    "underpayment_threshold": 0,
    "split_to_btc_bps": 0,
    "auto_settle": 0,
    "kyc_status": "approved"
  },
  "signature": "b8226907af5d6c5e867df47f29efdb94e9ac143ac072c18741ca7349788749cb"
};

const received = webhook.signature;

const apiKey = '777b1122-8769-42c3-b001-6e1f2d6b5163';
const calculated = crypto.createHmac('sha256', apiKey).update(webhook.user.id).digest('hex');

if (received === calculated) {
    // Signature is valid
}
else {
    // Signature is invalid. Ignore.
}