Callbacks (Webhooks)

Callbacks are used to send real-time notifications on the events that happen on a bunq account.

To receive notifications for certain events on a bunq account, you need to create notification filters. It is possible to send the notifications to a provided URL and/or the user’s phone as push notifications.

Notification FIlters

Use the notification-filter-push resource to create and manage push notification filters. Provide the type of events you want to receive notifications about in the category field.

Example request body:

{
   "notification_filters":[
      {
         "category":"SCHEDULE_RESULT"
      }
   ]
}

Use the notification-filter-url resource to create and manage URL notification filters. The callback URL you provide in the notification_target field must use HTTPS.

Example request body:

{
   "notification_filters":[
      {
         "category":"PAYMENT",
         "notification_target":"{YOUR_CALLBACK_URL}"
      }
   ]
}

Callback categories

Mutation Category

A Mutation is a change in the balance of a monetary account. A Mutation is created for each payment-like object, such as a request, iDEAL-payment or a regular payment. Therefore, the MUTATIONcategory can be used to keep track of a monetary account's balance change.

Receiving Callbacks

• Callbacks for the sandbox environment will be made from different IP's at AWS.

• Callbacks for the production environment will be made from 185.40.108.0/22.

The IP addresses might change. We will notify you in a timely fashion if such a change is planned.

Retry mechanism

When the execution of a callback fails (e.g. the callback server is down or the response contains an error), we try to resend it for a maximum of 5 times, with an interval of one minute between each try. If your server is not reachable by the callback after the 6th total try, the callback is not sent anymore.

Removing callbacks

To remove callbacks for an object, send a PUT request to the user-person, user-company, monetary-account or cash-register resource with the notification_filters field of the JSON request body unset.

{
    "notification_filters": []
}

Setting up a callback

Check Notification Filter for all possible callbacks, here we show one example API call to set up a new URL notification. For instance for succesful card transactions: ```

{
    "notification_filters": [
        {"category": "CARD_TRANSACTIONSUCCESSFUL",
        "notification_target": "https://webhook.site/994966bb-7a4c-4be3-836a-da65231b907d"}
    ]
}

Certificate Pinning

We recommend that you use certificate pinning as an extra security measure. We will check if the certificate of the recipient server matches the pinned certificate that you provided and cancel the callback if the check fails or we detect a mismatch.

How to set up certificate pinning

1. Retrieve the SSL certificate of your server using the following command:

   openssl s_client -servername www.example.com -connect www.example.com:443 < /dev/null | sed -n "/-----BEGIN/,/-----END/p" > www.example.com.pem

2. POST the certificate to the certificate-pinnedendpoint.

Once ready, every callback will be checked against the pinned certificate that you provided. Note that if the SSL certificate on your server expires or is changed, our callbacks will fail.