Skip to main content
Webhook subscriptions are configured by the BRP Portal administrator. When enabled, the system pushes real-time event notifications to the registered endpoint.

Supported Events

EventDescription
nomination.gate_closure_reminderReminder that gate closure is approaching (<8h left and has errors)
nomination.file_createdA nominations file has been added/updated
nomination.error_detectedAn error/mismatch was detected in a nomination
contract.addedA new PPA contract has been added
customer.assignedA new customer has been assigned to the BRP

Payload Format

All webhook payloads follow this structure: 
{
  "event": "nomination.error_detected",
  "timestamp": "2026-01-14T18:25:00Z",
  "data": { ... }
}
The data field contains event-specific details. The timestamp is the time the event occurred (ISO 8601, UTC).

Signature Verification

Payloads are signed using HMAC-SHA256 with a shared secret. The signature is included in the X-Webhook-Signature header. To verify a webhook payload:
  1. Extract the X-Webhook-Signature header value from the request.
  2. Compute the HMAC-SHA256 of the raw request body using your shared secret.
  3. Compare the computed signature with the header value.
# Example: verify a webhook signature
SIGNATURE=$(echo -n "$REQUEST_BODY" | openssl dgst -sha256 -hmac "$WEBHOOK_SECRET" | awk '{print $2}')

if [ "$SIGNATURE" = "$RECEIVED_SIGNATURE" ]; then
  echo "Valid signature"
fi
Always verify the webhook signature before processing the payload to ensure the request originates from Otark.

Best Practices

  • Respond quickly: Return a 200 status code within a few seconds. Process the event asynchronously if needed.
  • Handle duplicates: Events may be delivered more than once. Use the timestamp and event data to deduplicate.
  • Monitor failures: If your endpoint fails to respond, Otark will retry delivery with exponential backoff.