Prerequisites
- A production, staging, or development instance with webhooks enabled
- HMAC enabled on your instance (contact your Flinks Representative or open a ticket via the Support Portal)
- An HMAC secret key provided by Flinks
How it works
- When Flinks sends a webhook, it computes an HMAC-SHA256 hash of the request body using your shared secret key.
- The resulting signature is included in the webhook request header.
- Your server computes the same hash and compares it to the header value.
- If they match, the webhook is authentic.
Python implementation
Example: Flask webhook endpoint
Node.js implementation
Example: Express webhook endpoint
Using the Tag parameter with webhooks
TheTag parameter in Flinks Connect allows you to attach custom metadata to a connection, which is then included in the webhook payload. This is useful for correlating webhook data with your internal records without needing to look up the loginId.
Setup
Add thetag parameter to your Flinks Connect iframe URL:
Webhook payload with Tag
When a webhook is delivered, theTag value is included in the payload:
Do not include personally identifiable information (PII) in tags. Use internal reference IDs instead.
Webhooks as the recommended async pattern
Webhooks are the recommended approach for receiving data from Flinks, rather than polling the API. Benefits include:- No polling overhead: Receive data as soon as processing completes
- Reduced API calls: Avoid repeated
/GetAccountsDetailcalls while waiting for data - Immediate notification: Get alerted within seconds of data availability
- Retry handling: Flinks retries failed deliveries up to 10 times at 30-minute intervals
Verification checklist
- Extract the signature from the webhook request header
- Compute the HMAC-SHA256 hash of the raw request body using your secret key
- Base64-encode the computed hash
- Compare using constant-time comparison
- Return HTTP 200 on success
- Return HTTP 403 on signature mismatch (and log the event for investigation)