Generate a signature secret by calling POST /v0/webhook_secrets with an empty body; store the returned secret value securely.
Create a webhook subscription by calling POST /v0/webhooks with a JSON body specifying url, enabled_events (e.g., ["ACCOUNT.*", "CUSTOMER.UPDATED"]), is_enabled: true, and an optional metadata string.
On each incoming webhook POST, extract the Synctera-Signature and Request-Timestamp headers from the request.
Compute HMAC-SHA256 of the string Request-Timestamp + '.' + raw_request_body using your stored secret as the key; compare the hex digest to the header value using a constant-time comparison.
Reject requests where the timestamp is more than 5 minutes in the past to prevent replay attacks.
Rotate the secret without downtime by calling PUT /v0/webhook_secrets with {"is_rolling_secret": true}; this keeps the old secret valid for 24 hours while the new one is deployed.
Known gotchas
Synctera retries failed webhooks with exponential backoff for up to 55 hours; your endpoint must handle idempotent re-delivery using the event id field.
Wildcard subscriptions such as CUSTOMER.* will automatically include new event types added by Synctera in the future — audit your handler logic when new event types are released.
Webhook requests timeout after 5 seconds; place received events on an internal queue and return HTTP 200 immediately to avoid false retry storms.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp