Webhooks

Event envelope

Shared event envelope for all webhook deliveries.

Event envelope

Every webhook payload uses same outer envelope.

Example

{
  "event_id": "evt_01JY3P4S4TB8A3QGQ95E9W0D2M",
  "event_type": "mini_app.trade.processed",
  "operator_id": 12,
  "occurred_at": "2026-06-18T00:00:00.000Z",
  "aggregate_type": "mini_app_order",
  "aggregate_id": "1",
  "idempotency_key": "mini_app_order:1:processed",
  "data": {
    "order_id": 1
  }
}

Fields

Field	Type	Meaning
`event_id`	`string`	Globally unique event identifier. Primary dedupe key on receiver side.
`event_type`	`string`	Business event name.
`operator_id`	`number`	OpenPoly operator record ID for routing and audit.
`occurred_at`	`string`	UTC ISO timestamp when event became true.
`aggregate_type`	`string`	Resource family behind event, such as `mini_app_order`.
`aggregate_id`	`string`	Aggregate identifier, always serialized as string.
`idempotency_key`	`string`	Stable event-level idempotency key from OpenPoly side.
`data`	`object`	Event-specific payload only.

Invariants

event_id unique across all webhook events
aggregate_id always string, even if underlying DB key numeric
data shape depends on event_type
no API key, wallet secret, launch token, or session secret in payload
no raw internal transaction token in payload

Receiver guidance

store full envelope with raw body hash if audit required
dedupe by event_id, not by aggregate_id
route business logic by event_type
use aggregate_type and aggregate_id for correlation, not dedupe

event list and payloads: /docs/webhooks/event-types
retry behavior: /docs/webhooks/retry-and-replay

Edit this pageorReport an issue

Signatures

Verify webhook signatures and reject replays safely.

Event types

Business events sent by OpenPoly to operator webhook receivers.

Event envelope

Event envelope

Example

Fields

Invariants

Receiver guidance

Related pages