Using address webhook
This enables you to register a webhook that the Notabene system can query to check if the address belongs to you, and thereby speed up the response time by performing auto-confirmation/rejection and auto-redirect of your incoming travel rule transactions.
Register a webhook
You can register your address query webhook by calling POST Webhook for querying addresses. In the payload there are two required fields. The first is url which should contain your webhook URL. The second is params which you can fill in with whatever query parameters you also want use. If you don't want any additional query parameters you can just put "params": "?".
{
"url": "https://youraddresswebhookurl.com/notabenewebhook/",
"params": "?thisIsyourParams"
}
If you want to update the webhook url or params, just register a webhook again.
The endpoint for registering a webhook will always return a secret that you need to store in order to validate our request later:
ac81032ad9a3f2cea504011c76fdb53ac5899371
Disable internal auto-confirm
If you are using the address webhook, we recommend that you disable the internal address auto-confirmation that is built into the Notabene platform:
autoconfirm: false
Notabene querying your webhook
When Notabene queries your webhook, we will use the URL + the params that you have registered + asset & address of the incoming transaction:
GET https://youraddress.com/notabenewebhook/?{{params}}&asset={{assetType}}&address={{destinationAddress}}
Supported method
Your webhook URL needs to accept the GET HTTP method.
Validating Notabene's signature
Notabene's query will come with a signature inside a custom header called x-notabene-signature:
Notabene signature
Here is an example of how to get the signature from the payload to verify with the signature in the header:
// x-notabene-signature from the headers
signature = 'QpfzOuOcBk19tDEt0c/gct1/tfM='
const crypto = require('crypto');
// Defining the key you got when registering the address webhook
const secret = '909fecfc2c70833de980ffdc307aaa436b1c686f';
// Calling createHmac method
const hash = crypto.createHmac('sha1', secret)
// updating data with a concatenated string of method + URL + params
.update('GEThttps://eol06x2czi4qf7d.m.pipedream.net/?HelloMyNameIsChris=&address=3vbv5qHSiUNjCjxJ5o1pUu4ug1&asset=BTC')
// Encoding to be used
.digest('base64');
// Displays output
console.log(hash);
console.log(signature);
QpfzOuOcBk19tDEt0c/gct1/tfM=
QpfzOuOcBk19tDEt0c/gct1/tfM=
Webhook response
To be able to process your response automatically, the webhook needs to return an object that looks like this:
js
{
owns: true, // A boolean that indicates if the VASP owns the address
beneficiaryInfo: {} // (Optional) Beneficiary info that your VASP can share in IVMS101 format
}
Delete a webhook
You can delete your address query webhook by calling DELETE integrations/{vaspDID}/address-query-webhook
The delete endpoint will return a boolean called isDeleted and a messageto indicate if the webhook was deleted or not.
IP address
If you want to set up security controls or need to whitelist, the webhook notifications will only be sent from the following IPs:
IP addresses
PROD:
3.120.79.24TEST:
3.78.87.87
If you confirm that the address is yours, the status of the travel rule message will change to "ACK" and the beneficiary/originator details will be made available to you.
The name of the originator is then processed by your sanctions screening provider and the originating wallet address by your blockchain analytics provider (if the integration with them is enabled in our marketplace).
If these integrations are not enabled, you can use the details pushed by the webhook instead to do this internally.
Updated 5 months ago
Now that you are able to confirm that an address belongs to you, let's set up the process to make sure that all incoming blockchain deposits have a corresponding travel rule message: