GuidesAPI ReferenceChangelog
Log In


Webhooks allow you to subscribe to server-side notifications of events, like completing jobs and newly available data. Webhooks are helpful to optimize your Pinwheel integration. For a complete list of webhook events, please visit the API Reference page.

Subscribing to Webhook Events

You can register a webhook endpoint by sending a request to create a webhook specifying the events to subscribe to with the enabled_events parameter. You should explicitly enumerate the events you'd like to subscribe to (e.g., ['direct_deposit_switch.added', 'income.added']). Webhook endpoints must be https:// so that the event payloads can be transmitted securely.

POST /v1/webhooks
Content-Type: application/json
x-api-secret: YOUR-API-SECRET

  "url": "",
  "status": "active",
  "enabled_events": [

Webhook Pause Policy

Webhook endpoints that fail to return a successful response code (200 OK) for 30 consecutive days will be set to status: paused to avoid unnecessary delivery attempts.

Webhook Quota

There is a quota of 10 registered webhooks per API key. Requests to create new webhooks after the quota has been reached will return an error response.

Webhook Event Handling

Webhook events are delivered over HTTPS to the endpoint you registered. An example event is:

POST /webhook-endpoint
Content-Type: application/json
x-pinwheel-signature: v2=36a0c8d2049601b11290ebcae3348f627cba32889ca5ac3c8ff7ece1fef1ad8f
x-pinwheel-webhook-id: 61788409-8314-4e89-9300-ae7b9d3ccff5
x-timestamp: 1609205925

  "event": "direct_deposit_switch.added",
  "event_id": "5a141122-4235-4fa1-bd76-0628573880b0",
  "payload": {

Verifying Pinwheel is the Sender

Pinwheel signs all webhook events it sends to your endpoints by including a signature in each event's x-pinwheel-signature header. You can use this signature to verify that the events were sent by Pinwheel, not by a third party. Learn more at Webhook Signature Verification.

Retry Policy

Pinwheel expects a response within 15 seconds from your endpoint. Pinwheel will redeliver a webhook event if your webhook endpoint returns a failure (5XX status codes or network issues). Up to 5 subsequent delivery attempts will be made with exponential backoff including jitter in the 15 minutes following the initial delivery attempt.

Handling Duplicate Events

The event_id request body parameter is unique for each webhook event. This can be used to guard against potential duplicate events and make your system idempotent. It can also be used to troubleshoot webhook event specific issues, so we recommend logging this identifier.

Webhook events are delivered with "at least once" guarantees, meaning that (rarely) the same webhook event will be delivered to your system multiple times.

Webhook Request Body

All webhook requests have a JSON body with the following parameters:

eventstringWebhook event, e.g., direct_deposit_switch.added.
event_idstringUnique ID for each webhook event.
payloadobjectPayload attributes vary based on event.

Webhook Request Headers

All webhook requests have the following headers:

x-pinwheel-signaturestringSee Webhook Signature Verification.
x-pinwheel-webhook-idstringID of the webhook created via the POST /webhooks endpoint.
x-timestampintegerWhen the request was sent in Unix epoch time seconds.

Pending Webhook Job Outcomes

All job-associated webhook events include an outcome in the payload. The outcome represents the status of a job, and it can be either success, error, or pending. A pending status indicates that a job was unable to be completed on its first attempt and will be retried up to 24 hours after the initial attempt. A job with a pending status will transition to either an error or a success within the 24-hour window, and you will be notified with another webhook event.

Please contact [email protected] for access to our Developer Dashboard.