Skip to main content
Flinks includes an HMAC-SHA256 signature in webhook headers so you can verify that the payload was sent by Flinks and hasn’t been tampered with.

Prerequisites

  • A production, staging, or development instance with webhooks enabled
  • HMAC enabled on your instance (contact your Flinks Representative or open a ticket via the Support Portal)
  • An HMAC secret key provided by Flinks

How it works

  1. When Flinks sends a webhook, it computes an HMAC-SHA256 hash of the request body using your shared secret key.
  2. The resulting signature is included in the webhook request header.
  3. Your server computes the same hash and compares it to the header value.
  4. If they match, the webhook is authentic.

Python implementation

Example: Flask webhook endpoint

Always use constant-time comparison (like hmac.compare_digest) when verifying signatures. Standard string comparison (==) is vulnerable to timing attacks.

Node.js implementation

Example: Express webhook endpoint

Using the Tag parameter with webhooks

The Tag parameter in Flinks Connect allows you to attach custom metadata to a connection, which is then included in the webhook payload. This is useful for correlating webhook data with your internal records without needing to look up the loginId.

Setup

Add the tag parameter to your Flinks Connect iframe URL:

Webhook payload with Tag

When a webhook is delivered, the Tag value is included in the payload:
Do not include personally identifiable information (PII) in tags. Use internal reference IDs instead.
Webhooks are the recommended approach for receiving data from Flinks, rather than polling the API. Benefits include:
  • No polling overhead: Receive data as soon as processing completes
  • Reduced API calls: Avoid repeated /GetAccountsDetail calls while waiting for data
  • Immediate notification: Get alerted within seconds of data availability
  • Retry handling: Flinks retries failed deliveries up to 10 times at 30-minute intervals
For webhook setup instructions, see the Webhooks Introduction.

Verification checklist

  • Extract the signature from the webhook request header
  • Compute the HMAC-SHA256 hash of the raw request body using your secret key
  • Base64-encode the computed hash
  • Compare using constant-time comparison
  • Return HTTP 200 on success
  • Return HTTP 403 on signature mismatch (and log the event for investigation)