Webhooks Overview - Daya API Documentation

What are Webhooks?

Webhooks let you receive real-time HTTP notifications when funding account, deposit, transfer, withdrawal, or customer verification lifecycle events occur, instead of polling the API for status changes.

Webhooks are the recommended way to track funding account provisioning, deposit settlement, merchant-initiated bank transfers, crypto withdrawal progress, and customer verification changes.

Supported Events

Deposit Events:

Event	Resource	Description
`deposit.received`	Deposit	Deposit received (NGN or crypto)
`deposit.processing`	Deposit	Deposit settlement has started
`deposit.requires_review`	Deposit	Deposit needs review before it can continue
`deposit.completed`	Deposit	Deposit reached its settlement destination
`deposit.failed`	Deposit	Deposit failed
`deposit.reversed`	Deposit	Completed deposit reversed

Funding Account Events:

Event	Resource	Description
`funding_account.created`	Funding Account	Funding account record created in pending state
`funding_account.active`	Funding Account	Receive instructions provisioned successfully
`funding_account.failed`	Funding Account	Receive instruction provisioning failed
`funding_account.disabled`	Funding Account	Funding account disabled

Withdrawal Events:

Event	Resource	Description
`withdrawal.created`	Withdrawal	Withdrawal request accepted
`withdrawal.submitted`	Withdrawal	Withdrawal submitted to chain
`withdrawal.completed`	Withdrawal	Withdrawal confirmed on-chain
`withdrawal.failed`	Withdrawal	Withdrawal failed

Transfer Events:

Event	Resource	Description
`transfer.created`	Transfer	Transfer record created
`transfer.processing`	Transfer	Funds locked and transfer submission queued
`transfer.requires_review`	Transfer	Transfer flagged for manual review
`transfer.submitted`	Transfer	Provider accepted the transfer submission
`transfer.completed`	Transfer	Transfer settled after provider success and ledger finalization
`transfer.failed`	Transfer	Transfer failed terminally
`transfer.reversed`	Transfer	Completed transfer reversed

Customer Verification Events:

Event	Resource	Description
`customer.verification.submitted`	Customer	Verification submitted for review
`customer.verification.approved`	Customer	Verification approved
`customer.verification.rejected`	Customer	Verification rejected

Use transfer.* events for POST /v1/transfers. For deposits, track settlement with deposit.* events; settlement delivery work that Daya performs in the background is not surfaced as a separate payout webhook.

Webhook Configuration

Configure webhook endpoints in your Daya Dashboard:

Navigate to Webhooks
Add your webhook URL
Generate or copy your webhook secret
Subscribe to the events you want to receive

The event_types setting controls which events an endpoint receives. Omit event_types or set it to [] to receive all events. Use a non-empty array, such as ["deposit.received", "deposit.completed"], to receive only those exact event names. Unknown event names are rejected.

Use HTTPS in production. HTTP should be limited to local or sandbox development.

Webhook Payload

All merchant webhooks use the same envelope:

{
  "event": "transfer.completed",
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "data": {
    "id": "650e8400-e29b-41d4-a716-446655440000",
    "status": "SETTLED",
    "rail": "NGN_BANK",
    "reference": "txn_ngn_001"
  },
  "timestamp": "2026-03-10T09:03:00Z"
}

Common Fields

event

string

Event type, such as deposit.completed, transfer.completed, or withdrawal.failed.

string

Unique webhook event identifier. Store this value to deduplicate deliveries.

data

object

Resource payload for the event. Funding account events send a funding account object, deposit events send a deposit object, transfer events send a transfer object, withdrawal events send a withdrawal object, and customer verification events send a customer object.

timestamp

string

RFC3339 timestamp for when the event was emitted.

See Webhook Events for the full event list and resource payload mapping.

Delivery Guarantees

At-least-once delivery

Webhooks may be delivered more than once. Your handler must deduplicate repeated deliveries.

Order not guaranteed

Events can arrive out of order. Use the timestamp field to order updates client-side.

Retry behavior

If your endpoint returns a non-2xx response or times out, Daya retries with backoff. Build your handler to be safe for repeated delivery.

Timeout

Respond quickly and offload heavy work asynchronously. Slow handlers increase duplicate deliveries.

Webhook Verification

All webhook requests include an HMAC-SHA256 signature in the X-Daya-Signature header. See Webhook Verification for implementation details.

Implementing a Webhook Endpoint

Your endpoint should:

Verify the signature
Build a stable deduplication key from the payload
Return 2xx quickly
Process the event asynchronously if work is non-trivial

const express = require('express');
const crypto = require('crypto');

const app = express();
app.use(express.json());

function verifySignature(payload, signature, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

function webhookSubjectId(event) {
  return event.data.id || event.data.deposit_id;
}

function dedupeKey(event) {
  return event.id || `${event.event}:${webhookSubjectId(event)}:${event.timestamp}`;
}

app.post('/webhooks/daya', (req, res) => {
  const signature = req.headers['x-daya-signature'];
  const payload = JSON.stringify(req.body);

  if (!verifySignature(payload, signature, process.env.DAYA_WEBHOOK_SECRET)) {
    return res.status(401).send('Invalid signature');
  }

  const key = dedupeKey(req.body);
  if (isProcessed(key)) {
    return res.status(200).send('Already processed');
  }

  queue.add('process-webhook', req.body);
  markAsProcessed(key);

  res.status(200).send('OK');
});

Best Practices

Verify signatures

Always verify X-Daya-Signature before trusting the payload.

Deduplicate deliveries

Store the webhook event id as your primary deduplication key.

CREATE TABLE processed_webhook_events (
  webhook_event_id VARCHAR(255) PRIMARY KEY,
  processed_at TIMESTAMP
);

Return 200 quickly

Acknowledge receipt immediately and queue heavier downstream work.

Handle out-of-order events

Use timestamp and the underlying resource state to reconcile event order safely.

Monitor webhook health

Track failed deliveries and alert on sustained retries.

Testing Webhooks

For deposit webhook flows:

Create a sandbox receive instruction
Trigger a sandbox deposit with Create a sandbox deposit
Observe the resulting deposit lifecycle webhooks

For withdrawal webhook flows:

Fund merchant balance through a merchant-balance settlement flow
Create a withdrawal
Observe withdrawal.created, withdrawal.submitted, withdrawal.completed, or withdrawal.failed

Troubleshooting

Webhooks not received

Check endpoint reachability, TLS configuration, and whether your handler is returning non-2xx responses.

Duplicate deliveries

Duplicate delivery is expected under at-least-once semantics. Deduplicate using the webhook event id.

Out-of-order events

Sort or reconcile events using timestamp instead of arrival order.

Signature verification fails

Verify you are using the correct webhook secret and the raw request body.

Next Steps

Webhook Events

Event inventory and resource payload mapping

Signature Verification

Implement HMAC verification

​What are Webhooks?

​Supported Events

​Webhook Configuration

​Webhook Payload

​Common Fields

​Delivery Guarantees

​Webhook Verification

​Implementing a Webhook Endpoint

​Best Practices

​Testing Webhooks

​Troubleshooting

​Next Steps

Webhook Events

Signature Verification

What are Webhooks?

Supported Events

Webhook Configuration

Webhook Payload

Common Fields

Delivery Guarantees

Webhook Verification

Implementing a Webhook Endpoint

Best Practices

Testing Webhooks

Troubleshooting

Next Steps