/>

Webhook Implementation Guide

Register an HTTPS URL and receive real-time, HMAC-signed event pushes when smart-money signals fire — no polling. This guide covers registration, event filtering, signature verification, and retry behavior.

Overview

Instead of polling /v1/confirm or the signal feed, register a webhook and Smart Money API will POST an event to your endpoint the moment a matching signal fires. Every delivery is signed with HMAC-SHA256 so you can verify it genuinely came from us.

Outbound webhooks are available on the Pro and Enterprise plans.

Register a Webhook

POST to /v1/webhooks with your API key in the X-API-Key header. The body needs four fields:

FieldTypeDescription
urlstringHTTPS endpoint to receive events (must start with https://)
eventsarrayEvent names to receive, e.g. ["HIGH","MEDIUM","VETO"] or ["*"]
symbolsarraySymbols to filter, e.g. ["BTC","ETH"] or ["*"]
secretstringYour signing secret — at least 16 characters. Stored hashed; keep the raw value on your side to verify signatures.
cURL
curl -X POST https://api.smartmoneyapi.com/v1/webhooks \ -H "X-API-Key: sm_your_key" \ -H "Content-Type: application/json" \ -d '{ "url": "https://yourapp.com/webhooks/smartmoney", "events": ["HIGH", "MEDIUM"], "symbols": ["BTC", "ETH"], "secret": "a-long-random-secret-16-plus-chars" }'
201 Created
{ "webhook_id": 42, "url": "https://yourapp.com/webhooks/smartmoney", "events": ["HIGH", "MEDIUM"], "symbols": ["BTC", "ETH"], "message": "Webhook registered. Test with POST /v1/webhooks/test" }

Event Filters

Deliveries fire for events whose name and symbol match your registration. Typical event names are the confirmation confidence buckets — HIGH, MEDIUM, VETO — plus generic SIGNAL events. Use ["*"] to receive all events or all symbols.

Delivery & Headers

Each delivery is an HTTP POST with a JSON body and these headers:

HeaderValue
X-SmartMoney-EventThe event name (e.g. HIGH)
X-SmartMoney-SignatureHMAC-SHA256 hex digest of the request body (see below)
Content-Typeapplication/json
User-AgentSmartMoneyAPI-Webhook/1.0
Example payload
{ "event": "HIGH", "ts": "2026-07-01T18:22:05Z", "symbol": "BTC", "direction": "long", "confidence": "HIGH", "composite": 0.74, "webhook_id": 42 }

Respond with any 2xx status to acknowledge. Non-2xx (or a timeout) triggers a retry.

Verifying Signatures

The signature in X-SmartMoney-Signature is an HMAC-SHA256 hex digest of the request body. The HMAC key is the SHA-256 hex digest of the secret you registered (your raw secret is only ever stored hashed on our side). To verify: derive the key, HMAC the raw body, and compare with a constant-time check. Reject any request that fails.

Python (Flask receiver)
import hashlib, hmac from flask import Flask, request, abort app = Flask(__name__) MY_SECRET = "a-long-random-secret-16-plus-chars" # the value you registered @app.post("/webhooks/smartmoney") def receive(): raw = request.get_data() # exact bytes of the body sig = request.headers.get("X-SmartMoney-Signature", "") key = hashlib.sha256(MY_SECRET.encode()).hexdigest() # HMAC key = sha256(secret) hex expected = hmac.new(key.encode(), raw, hashlib.sha256).hexdigest() if not hmac.compare_digest(expected, sig): abort(401) event = request.get_json() # ... act on event["event"], event["symbol"], event["composite"] ... return "", 200
Node.js (Express receiver)
import crypto from "crypto"; import express from "express"; const app = express(); const MY_SECRET = "a-long-random-secret-16-plus-chars"; // Capture the raw body so the signature check uses the exact bytes. app.post("/webhooks/smartmoney", express.raw({ type: "*/*" }), (req, res) => { const sig = req.get("X-SmartMoney-Signature") || ""; const key = crypto.createHash("sha256").update(MY_SECRET).digest("hex"); const expected = crypto.createHmac("sha256", key).update(req.body).digest("hex"); const ok = expected.length === sig.length && crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig)); if (!ok) return res.status(401).end(); const event = JSON.parse(req.body.toString()); // ... act on event ... res.status(200).end(); });
Verify against the raw, unparsed request body — re-serializing parsed JSON can change byte order or spacing and break the check.

Retries

If your endpoint does not return a 2xx (or times out — the delivery timeout is 10s), Smart Money API retries up to 3 times with exponential backoff (approximately 1s, 4s, then 16s). Make your handler idempotent so a re-delivered event is safe to process twice.

Inbound Webhooks (TradingView)

Separately, you can send an inbound alert to us. POST /v1/tradingview/webhook receives a TradingView alert, runs it through /confirm, and returns the confirmation. Because TradingView cannot send custom headers, it authenticates via a secret field in the JSON body (not X-API-Key). Send secret, symbol, and direction (long/short); optionally timeframe, strategy, and price.

Ready to wire up real-time signals?

Get your API key
Start free — 50 calls/day, no card

Get live whale flow, funding, open interest and on-chain data across 3 exchanges from one API. Free tier, no credit card, upgrade any time.

Start free →
Try the live API console → (no account needed)
Get your API key in 30 seconds

Ready to build? Grab a free API key (50 calls/day, no card) and start pulling live whale, funding and on-chain data.

Get your API key →