Webhook Implementation Guide
Register an HTTPS URL and receive real-time, HMAC-signed event pushes when smart-money signals fire — no polling. This guide covers registration, event filtering, signature verification, and retry behavior.
Overview
Instead of polling /v1/confirm or the signal feed, register a webhook and Smart Money API will POST an event to your endpoint the moment a matching signal fires. Every delivery is signed with HMAC-SHA256 so you can verify it genuinely came from us.
Outbound webhooks are available on the Pro and Enterprise plans.
Register a Webhook
POST to /v1/webhooks with your API key in the X-API-Key header. The body needs four fields:
| Field | Type | Description |
|---|---|---|
| url | string | HTTPS endpoint to receive events (must start with https://) |
| events | array | Event names to receive, e.g. ["HIGH","MEDIUM","VETO"] or ["*"] |
| symbols | array | Symbols to filter, e.g. ["BTC","ETH"] or ["*"] |
| secret | string | Your signing secret — at least 16 characters. Stored hashed; keep the raw value on your side to verify signatures. |
Event Filters
Deliveries fire for events whose name and symbol match your registration. Typical event names are the confirmation confidence buckets — HIGH, MEDIUM, VETO — plus generic SIGNAL events. Use ["*"] to receive all events or all symbols.
Delivery & Headers
Each delivery is an HTTP POST with a JSON body and these headers:
| Header | Value |
|---|---|
| X-SmartMoney-Event | The event name (e.g. HIGH) |
| X-SmartMoney-Signature | HMAC-SHA256 hex digest of the request body (see below) |
| Content-Type | application/json |
| User-Agent | SmartMoneyAPI-Webhook/1.0 |
Respond with any 2xx status to acknowledge. Non-2xx (or a timeout) triggers a retry.
Verifying Signatures
The signature in X-SmartMoney-Signature is an HMAC-SHA256 hex digest of the request body. The HMAC key is the SHA-256 hex digest of the secret you registered (your raw secret is only ever stored hashed on our side). To verify: derive the key, HMAC the raw body, and compare with a constant-time check. Reject any request that fails.
Retries
If your endpoint does not return a 2xx (or times out — the delivery timeout is 10s), Smart Money API retries up to 3 times with exponential backoff (approximately 1s, 4s, then 16s). Make your handler idempotent so a re-delivered event is safe to process twice.
Inbound Webhooks (TradingView)
Separately, you can send an inbound alert to us. POST /v1/tradingview/webhook receives a TradingView alert, runs it through /confirm, and returns the confirmation. Because TradingView cannot send custom headers, it authenticates via a secret field in the JSON body (not X-API-Key). Send secret, symbol, and direction (long/short); optionally timeframe, strategy, and price.
Ready to wire up real-time signals?
Get your API key