Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developers.paxoslabs.com/llms.txt

Use this file to discover all available pages before exploring further.

Paxos Labs webhooks deliver real-time HTTP notifications to your server when events occur — direct transfer deposits arrive, transactions confirm, and more. Instead of polling the API, your application reacts to events the moment they happen.

How It Works

1

Register an endpoint

Add an HTTPS URL in the Paxos Labs Console under your organization’s Webhooks tab. You receive a signing secret on creation — store it securely.
2

Subscribe to events

Choose which event types your endpoint should receive. You can subscribe to all available events or select specific ones.
3

Receive and verify

When an event fires, Paxos Labs sends a signed POST request to your endpoint. Your server verifies the HMAC signature, then processes the payload.

Quick Start

Register an endpoint, subscribe to events, and handle your first webhook in minutes.

Signature Verification

Verify webhook authenticity with HMAC-SHA256 signatures. Includes code samples in Node.js, Python, and Go.

Event Catalog

Complete reference of all webhook event types with payload schemas and examples.

Key Concepts

ConceptDescription
EndpointAn HTTPS URL on your server that receives webhook POST requests.
SubscriptionThe set of event types an endpoint listens to. Each endpoint can subscribe to one or more event types.
Signing secretA unique pxlwh_ prefixed key generated when you create an endpoint. Used to verify that requests genuinely originate from Paxos Labs.
EventA JSON payload describing something that happened — e.g., a deposit was confirmed.
DeliveryA single attempt to send an event to your endpoint. The Paxos Labs Console shows delivery history per endpoint.

Security Model

Every webhook request is signed with your endpoint’s unique secret using HMAC-SHA256. Two headers accompany each request:
HeaderValue
X-PAXOS-LABS-TIMESTAMPUnix seconds when the event was created
X-PAXOS-LABS-SIGNATUREv1=<hex_hmac>
Your server should always verify the signature before processing a webhook. This prevents forgery and replay attacks.
Your signing secret is shown once at creation time. Copy and store it in a secrets manager immediately. If lost, delete the endpoint and create a new one.

Limits

LimitValue
Endpoints per organization10
Endpoint URL protocolHTTPS only
Endpoint name length100 characters
Delivery timeout10 seconds