{
  "transaction": {
    "id": "Transaction:019542f5-b3e7-1d02-0000-000000000005",
    "status": "PENDING",
    "type": "INCOMING",
    "senderUmaAddress": "$sender@external.domain",
    "receiverUmaAddress": "$recipient@uma.domain",
    "receivedAmount": {
      "amount": 50000,
      "currency": {
        "code": "USD",
        "name": "United States Dollar",
        "symbol": "$",
        "decimals": 2
      }
    },
    "customerId": "Customer:019542f5-b3e7-1d02-0000-000000000001",
    "platformCustomerId": "18d3e5f7b4a9c2",
    "reconciliationInstructions": {
      "reference": "REF-123456789"
    },
    "counterpartyInformation": {
      "FULL_NAME": "John Sender",
      "BIRTH_DATE": "1985-06-15",
      "NATIONALITY": "US"
    }
  },
  "requestedReceiverCustomerInfoFields": [
    {
      "name": "NATIONALITY",
      "mandatory": true
    },
    {
      "name": "ADDRESS",
      "mandatory": false
    }
  ],
  "timestamp": "2025-08-15T14:32:00Z",
  "webhookId": "Webhook:019542f5-b3e7-1d02-0000-000000000007",
  "type": "INCOMING_PAYMENT"
}

{
  "receiverCustomerInfo": {}
}

Webhooks

Incoming payment webhook and approval mechanism

Webhook that is called when an incoming payment is received by a customer’s UMA address. This endpoint should be implemented by clients of the Grid API.

Authentication

The webhook includes a signature in the X-Grid-Signature header that allows you to verify that the webhook was sent by Grid. To verify the signature:

Get the Grid public key provided to you during integration
Decode the base64 signature from the header
Create a SHA-256 hash of the request body
Verify the signature using the public key and the hash

If the signature verification succeeds, the webhook is authentic. If not, it should be rejected.

Payment Approval Flow

When a transaction has status: "PENDING", this webhook serves as an approval mechanism:

The client should check the counterpartyInformation against their requirements
To APPROVE the payment synchronously, return a 200 OK response
To REJECT the payment, return a 403 Forbidden response with an Error object
To request more information, return a 422 Unprocessable Entity with specific missing fields
To process the payment asynchronously, return a 202 Accepted response and then call the /transactions/{transactionId}/approve or /transactions/{transactionId}/reject endpoint within 5 seconds. Note that synchronous approval/rejection is preferred where possible.

The Grid system will proceed or cancel the payment based on your response.

For transactions with other statuses (COMPLETED, FAILED, REFUNDED), this webhook is purely informational.

WEBHOOK

incoming-payment

{
  "transaction": {
    "id": "Transaction:019542f5-b3e7-1d02-0000-000000000005",
    "status": "PENDING",
    "type": "INCOMING",
    "senderUmaAddress": "$sender@external.domain",
    "receiverUmaAddress": "$recipient@uma.domain",
    "receivedAmount": {
      "amount": 50000,
      "currency": {
        "code": "USD",
        "name": "United States Dollar",
        "symbol": "$",
        "decimals": 2
      }
    },
    "customerId": "Customer:019542f5-b3e7-1d02-0000-000000000001",
    "platformCustomerId": "18d3e5f7b4a9c2",
    "reconciliationInstructions": {
      "reference": "REF-123456789"
    },
    "counterpartyInformation": {
      "FULL_NAME": "John Sender",
      "BIRTH_DATE": "1985-06-15",
      "NATIONALITY": "US"
    }
  },
  "requestedReceiverCustomerInfoFields": [
    {
      "name": "NATIONALITY",
      "mandatory": true
    },
    {
      "name": "ADDRESS",
      "mandatory": false
    }
  ],
  "timestamp": "2025-08-15T14:32:00Z",
  "webhookId": "Webhook:019542f5-b3e7-1d02-0000-000000000007",
  "type": "INCOMING_PAYMENT"
}

{
  "receiverCustomerInfo": {}
}

Authorizations

X-Grid-Signature

string

header

required

Secp256r1 (P-256) asymmetric signature of the webhook payload, which can be used to verify that the webhook was sent by Grid.

To verify the signature:

Get the Grid public key provided to you during integration
Decode the base64 signature from the header
Create a SHA-256 hash of the request body
Verify the signature using the public key and the hash

If the signature verification succeeds, the webhook is authentic. If not, it should be rejected.

Body

application/json

timestamp

string<date-time>

required

ISO8601 timestamp when the webhook was sent (can be used to prevent replay attacks)

Example:

"2025-08-15T14:32:00Z"

webhookId

string

required

Unique identifier for this webhook delivery (can be used for idempotency)

Example:

"Webhook:019542f5-b3e7-1d02-0000-000000000007"

type

enum<string>

required

Type of webhook event

Available options:

INCOMING_PAYMENT,

OUTGOING_PAYMENT,

TEST,

BULK_UPLOAD,

INVITATION_CLAIMED,

KYC_STATUS,

ACCOUNT_STATUS

transaction

object

required

Show child attributes

requestedReceiverCustomerInfoFields

object[]

Information required by the sender's VASP about the recipient. Platform must provide these in the 200 OK response if approving. Note that this only includes fields which Grid does not already have from initial customer registration.

Show child attributes

Response

Webhook received successfully. For PENDING transactions, this indicates approval to proceed with the payment. If requestedReceiverCustomerInfoFields were present in the webhook request, the corresponding fields for the recipient must be included in this response in the receiverCustomerInfo object.

receiverCustomerInfo

object

Information about the recipient, provided by the platform if requested in the webhook via requestedReceiverCustomerInfoFields and the payment is approved.

Send a test webhook Outgoing payment status webhook

⌘I

Using the API

API documentation

Incoming payment webhook and approval mechanism

Authentication

Payment Approval Flow

Authorizations

Body

Response