Using address webhook

This enables you to register a webhook that the Notabene system can query to check if the address belongs to you, and thereby speed up the response time by performing auto-confirmation/rejection and auto-redirect of your incoming travel rule transactions.

Register a webhook

You can register your address query webhook by calling POST Webhook for querying addresses. In the payload there are two required fields. The first is url which should contain your webhook URL. The second is params which you can fill in with whatever query parameters you also want use. If you don't want any additional query parameters you can just put "params": "?".

"url": "",
"params": "?thisIsyourParams"

If you want to update the webhook url or params, just register a webhook again.

The endpoint for registering a webhook will always return a secret that you need to store in order to validate our request later:



Disable internal auto-confirm

If you are using the address webhook, we recommend that you disable the internal address auto-confirmation that is built into the Notabene platform: autoconfirm: false

Notabene querying your webhook

When Notabene queries your webhook, we will use the URL + the params that you have registered + asset & address of the incoming transaction:


Supported method

Your webhook URL needs to accept the GET HTTP method.

Validating Notabene's signature

Notabene's query will come with a signature inside a custom header called x-notabene-signature:

Notabene signature

Notabene signature

Here is an example of how to get the signature from the payload to verify with the signature in the header:

// x-notabene-signature from the headers
signature = 'QpfzOuOcBk19tDEt0c/gct1/tfM='

const crypto = require('crypto');
// Defining the key you got when registering the address webhook
const secret = '909fecfc2c70833de980ffdc307aaa436b1c686f';
// Calling createHmac method
const hash = crypto.createHmac('sha1', secret)
                   // updating data with a concatenated string of method + URL + params
                   // Encoding to be used
// Displays output


Webhook response

To be able to process your response automatically, the webhook needs to return an object that looks like this:

    owns: true,         // A boolean that indicates if the VASP owns the address
    beneficiaryInfo: {} // (Optional) Beneficiary info that your VASP can share in IVMS101 format  

Delete a webhook

You can delete your address query webhook by calling DELETE integrations/{vaspDID}/address-query-webhook

The delete endpoint will return a boolean called isDeleted and a messageto indicate if the webhook was deleted or not.

IP address

If you want to set up security controls or need to whitelist, the webhook notifications will only be sent from the following IPs:


IP addresses



If you confirm that the address is yours, the status of the travel rule message will change to "ACK" and the beneficiary/originator details will be made available to you.

The name of the originator is then processed by your sanctions screening provider and the originating wallet address by your blockchain analytics provider (if the integration with them is enabled in our marketplace).
If these integrations are not enabled, you can use the details pushed by the webhook instead to do this internally.

What’s Next

Now that you are able to confirm that an address belongs to you, let's set up the process to make sure that all incoming blockchain deposits have a corresponding travel rule message: