Webhooks
Register HTTPS endpoints for real-time event notifications, HMAC-SHA256-signed over the raw body. Full event catalogue, per-event payloads, signature-verification code (Node & Python), at-least-once delivery semantics, and the delivery log.
Register HTTPS endpoints to receive real-time event notifications. MyStocks signs every delivery with
an HMAC-SHA256 signature over the raw request body using your webhook secret. Your endpoint must
respond HTTP 2xx within 8 seconds; heavy processing should be deferred to a background queue.
Failed deliveries are retried with exponential backoff — check the delivery log via
GET /webhooks/{id}/deliveries.
Register a webhook
POST /webhooks
| Field | Type | Required | Description |
|---|---|---|---|
| url | string | Yes | HTTPS endpoint. Must respond 2xx within 8 s. |
| events | string[] | Yes | Array of event type strings to subscribe to. |
| secret | string | No | HMAC signing secret (min 16 chars). Generated automatically if omitted. |
Event catalogue
| Event | Trigger |
|---|---|
order.pending | An order was submitted and is awaiting live fill. |
order.filled | An order was filled and executed. Shares/proceeds credited. |
order.rejected | An order was declined. Includes rejectionCode and rejectionReason. |
order.cancelled | An order was cancelled via DELETE /orders/{id}. |
order.replaced | A resting order was modified via PATCH /users/{id}/orders/{orderId} (same orderId). |
trade.settled | Alias for order.filled — use order.filled in new integrations. |
trade.rejected | Alias for order.rejected — use order.rejected in new integrations. |
deposit.confirmed | A sub-account deposit was recorded. |
withdraw.confirmed | A sub-account withdrawal was processed. |
wallet.credited | Master wallet received a top-up from MyStocks ops. |
kyc.updated | A sub-account KYC status changed. |
account.frozen | A sub-account was frozen (or unfrozen) by partner or MyStocks compliance. |
dividend.paid | A dividend was received and credited to a sub-account. |
quote.expired | A tradeable quote reached its 60-second TTL without being used. |
market.status | An exchange changed phase (OPEN/CLOSED/HOLIDAY). |
incident.declared | A platform incident affecting your integration was opened. |
incident.resolved | A previously declared incident was closed. |
Delivery envelope
Every delivery wraps the event-specific payload in a standard three-field envelope. Sandbox deliveries
add isSandbox: true at the top level.
Event payloads
Signature verification
Every delivery includes an x-mystocks-signature header containing an HMAC-SHA256 hex digest of the
raw request body signed with your webhook secret. Always verify using a constant-time comparison.
Delivery semantics — at-least-once, not exactly-once. The same event can arrive more than once;
events are not guaranteed to arrive in order (a retried order.pending can land after
order.filled); and a delivery can fail all retries. The robust pattern: dedupe by eventId,
treat handlers as idempotent, and derive state from the event payload rather than arrival order.
Respond 2xx quickly and process asynchronously — you have 8 seconds before the attempt fails.
Manage & inspect
GET /webhooks · DELETE /webhooks/{id} · POST /webhooks/{id}/test · GET /webhooks/{id}/deliveries
List registered webhooks, delete one, fire a test event, or inspect delivery history.
POST /webhooks/{id}/test sends a test.event payload immediately and logs the delivery — useful for
verifying reachability and signature verification before going live. /deliveries returns each attempt
with HTTP status, response snippet, duration (ms), and the retry schedule if it failed. Retry schedule:
immediate → 5 s → 30 s → 5 min → 30 min → 2 h (6 attempts max).