CDP Transfers webhooks provide your app with real-time transfer status updates. By subscribing your webhook endpoint you will receive a notification every time a transfer made by your users is created or updated.
Setup
Prerequisites
You will need:
- Your CDP API Key ID and secret
- A webhook notification HTTPS URL
- (Recommended) Install cdpcurl
Create a webhook subscription
- Prepare your subscription configuration:
{
"description": "CDP Transfers webhook",
"eventTypes": [
"payments.transfers.quoted",
"payments.transfers.processing",
"payments.transfers.completed",
"payments.transfers.failed",
"payments.transfers.expired"
],
"target": {
"url": "https://your-webhook-url.com",
"method": "POST"
},
"labels": {},
"isEnabled": true
}
target.url should be your webhook endpoint that will receive the events- You can also set a
headers object in target if your url requires specific headers:
...
"target": {
"url": "https://your-webhook-url.com",
"method": "POST",
"headers": {
"custom-header": "value"
}
},
...
- All Transfer event types should be included to ensure you receive notifications for every transfer state change:
| Event type | Description |
|---|
payments.transfers.quoted | Transfer has been quoted with fee breakdown |
payments.transfers.processing | Transfer is being executed |
payments.transfers.completed | Transfer completed successfully |
payments.transfers.failed | Transfer failed |
payments.transfers.expired | Transfer fee quote expired |
- Create the webhook subscription:
cdpcurl -X POST \
-i "YOUR_API_KEY_ID" \
-s "YOUR_API_KEY_SECRET" \
"https://api.cdp.coinbase.com/platform/v2/data/webhooks/subscriptions" \
-d '{
"description": "CDP Transfers webhook",
"eventTypes": [
"payments.transfers.quoted",
"payments.transfers.processing",
"payments.transfers.completed",
"payments.transfers.failed",
"payments.transfers.expired"
],
"target": {
"url": "https://your-webhook-url.com",
"method": "POST"
},
"labels": {},
"isEnabled": true
}'
201 Created
{
"createdAt": "2025-09-10T13:58:38.681893Z",
"description": "CDP Transfers webhook",
"eventTypes": [
"payments.transfers.quoted",
"payments.transfers.processing",
"payments.transfers.completed",
"payments.transfers.failed",
"payments.transfers.expired"
],
"isEnabled": true,
"labelKey": "entity",
"labelValue": "<YOUR_ENTITY_ID>",
"labels": {
"entity": "<YOUR_ENTITY_ID>"
},
"metadata": {
"secret": "<SECRET_FOR_WEBHOOK_VERIFICATION>"
},
"subscriptionId": "<YOUR_SUBSCRIPTION_ID>",
"target": {
"url": "https://your-webhook-url.com"
}
}
subscriptionId from the response to view, update, or delete the subscription.
List all subscriptions
cdpcurl -X GET \
-i "YOUR_API_KEY_ID" \
-s "YOUR_API_KEY_SECRET" \
"https://api.cdp.coinbase.com/platform/v2/data/webhooks/subscriptions"
cdpcurl -X GET \
-i "YOUR_API_KEY_ID" \
-s "YOUR_API_KEY_SECRET" \
"https://api.cdp.coinbase.com/platform/v2/data/webhooks/subscriptions/<SUBSCRIPTION_ID>"
cdpcurl -X PUT \
-i "YOUR_API_KEY_ID" \
-s "YOUR_API_KEY_SECRET" \
"https://api.cdp.coinbase.com/platform/v2/data/webhooks/subscriptions/<SUBSCRIPTION_ID>" \
-d '{
"description": "Updated: CDP Transfers webhook",
"eventTypes": [
"payments.transfers.quoted",
"payments.transfers.processing",
"payments.transfers.completed",
"payments.transfers.failed",
"payments.transfers.expired"
],
"target": {
"url": "https://your-new-webhook-url.com",
"method": "POST"
},
"labels": {},
"isEnabled": true
}'
cdpcurl -X DELETE \
-i "YOUR_API_KEY_ID" \
-s "YOUR_API_KEY_SECRET" \
"https://api.cdp.coinbase.com/platform/v2/data/webhooks/subscriptions/<SUBSCRIPTION_ID>"
Webhook signature verification
Verify webhook signatures to ensure that requests are authentic. This protects your application from forged webhooks and potential security threats.
How it works
When you create a webhook subscription, the response includes a secret in metadata.secret. This secret is used to verify that incoming webhooks are authentic.
Each webhook request includes an X-Hook0-Signature header containing:
t field - the timestamph field - list of headers included in the signaturev1 field - the signature
Implementation
Here’s an example of how to verify webhook signatures:
const crypto = require('crypto');
/**
* Verify webhook signature and timestamp
* @param {string} payload - Raw request body as string
* @param {string} signatureHeader - X-Hook0-Signature header value
* @param {string} secret - Secret from metadata.secret in subscription creation
* @param {Object} headers - HTTP headers from webhook request
* @param {number} maxAgeMinutes - Max age for webhook (default: 5 minutes)
* @returns {boolean} true if webhook is authentic and within allowed time window
*/
function verifyWebhookSignature(payload, signatureHeader, secret, headers, maxAgeMinutes = 5) {
try {
// Parse signature header: t=timestamp,h=headers,v1=signature
const elements = signatureHeader.split(',');
const timestamp = elements.find(e => e.startsWith('t=')).split('=')[1];
const headerNames = elements.find(e => e.startsWith('h=')).split('=')[1];
const providedSignature = elements.find(e => e.startsWith('v1=')).split('=')[1];
// Build header values string
const headerNameList = headerNames.split(' ');
const headerValues = headerNameList.map(name => headers[name] || '').join('.');
// Build signed payload
const signedPayload = `${timestamp}.${headerNames}.${headerValues}.${payload}`;
// Compute expected signature
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(signedPayload, 'utf8')
.digest('hex');
// Compare signatures securely
const signaturesMatch = crypto.timingSafeEqual(
Buffer.from(expectedSignature, 'hex'),
Buffer.from(providedSignature, 'hex')
);
// Verify timestamp to prevent replay attacks
const webhookTime = parseInt(timestamp) * 1000; // Convert to milliseconds
const currentTime = Date.now();
const ageMinutes = (currentTime - webhookTime) / (1000 * 60);
if (ageMinutes > maxAgeMinutes) {
console.error(`Webhook timestamp exceeds maximum age: ${ageMinutes.toFixed(1)} minutes > ${maxAgeMinutes} minutes`);
return false;
}
return signaturesMatch;
} catch (error) {
console.error('Webhook verification error:', error);
return false;
}
}
const express = require("express");
const app = express();
// Important: Get raw body for signature verification
app.use(express.raw({ type: "application/json" }));
app.post("/webhook", (req, res) => {
const payload = req.body.toString(); // Raw string needed for signature
const signature = req.headers["x-hook0-signature"];
const secret = process.env.WEBHOOK_SECRET; // Store securely from metadata.secret
if (verifyWebhookSignature(payload, signature, secret, req.headers)) {
console.log("✅ Authentic webhook");
// Parse and process the event
const event = JSON.parse(payload);
// Handle your transfer event here
res.status(200).send("OK");
} else {
console.log("❌ Invalid webhook - rejected");
res.status(400).send("Invalid signature");
}
});
Next steps
Once your subscription is created, your endpoint will begin receiving webhook events for transfers!
Sample transfer event payloads
Quoted event - Transfer fee quote is ready:
{
"eventType": "payments.transfers.quoted",
"eventId": "123e4567-e89b-12d3-a456-426614174000",
"timestamp": "2026-01-01T00:00:00Z",
"data": {
"transferId": "transfer_af2937b0-9846-4fe7-bfe9-ccc22d935114",
"status": "draft",
"source": {
"accountId": "account_af2937b0-9846-4fe7-bfe9-ccc22d935114",
"asset": "usd"
},
"target": {
"address": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"network": "base",
"asset": "usdc"
},
"amount": "100.00",
"asset": "usd",
"fees": [
{
"feeType": "network",
"amount": "0.25",
"asset": "usd"
}
],
"expiresAt": "2026-01-01T00:15:00Z",
"createdAt": "2026-01-01T00:00:00Z"
}
}
{
"eventType": "payments.transfers.completed",
"eventId": "234e5678-f89b-12d3-a456-426614174001",
"timestamp": "2026-01-01T00:05:00Z",
"data": {
"transferId": "transfer_af2937b0-9846-4fe7-bfe9-ccc22d935114",
"status": "completed",
"source": {
"accountId": "account_af2937b0-9846-4fe7-bfe9-ccc22d935114",
"asset": "usd"
},
"target": {
"address": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"network": "base",
"asset": "usdc"
},
"amount": "100.00",
"asset": "usd",
"createdAt": "2026-01-01T00:00:00Z",
"updatedAt": "2026-01-01T00:05:00Z",
"completedAt": "2026-01-01T00:05:00Z"
}
}
Best practices
To ensure reliable webhook delivery:
- Test endpoints locally before enabling subscriptions in production
- Handle concurrent requests - ensure your target URL can process multiple events simultaneously
- Process events asynchronously - return a
200 response quickly and process the event in the background
- Monitor webhook receiver health - track delivery success rates to your target URL
- Set up subscription monitoring - use a scheduled job (e.g., cron, systemd timer) to periodically call the List Subscriptions API and verify critical subscriptions have
isEnabled: true
Subscriptions may be automatically disabled if your endpoint experiences sustained delivery failures (e.g., high failure rates, endpoint unavailability, or throughput issues). If this happens, fix the underlying endpoint issue and use the Update Subscription API to re-enable.
