Webhooks Overview
  • 01 Feb 2022
  • 3 Minutes To Read
  • Dark
  • PDF

Webhooks Overview

  • Dark
  • PDF

Webhooks follow the famous Hollywood principle: Don't call us, we'll call you!

Why should you care? Well, back in 2009 Timothy Fitz explained it pretty well:

There is no simpler way to allow open ended integration with arbitrary web services. ... You should care because Webhooks will be ubiquitous. You should care because they’re going to reshape the internet. You should care because Webhooks are the next step in the evolution of communication on the internet and nothing will be left untouched.

In Mambu, highly configurable Webhooks are user-defined HTTP callbacks for actions happening in the cloud banking platform. These can be used for event-based, real-time notifications between independent services.

For example, let's say you want your application to respond when a loan is disbursed: simply define a Webhook in Mambu for the disbursement action and point the URL to your application. Mambu will POST a request to your app with all the information you need such as the loan account id, client information, amount, etc. Your application can then respond to this request itself or call back to Mambu to request more information and trigger additional actions in Mambu (such as creating a task or sending an email) or enrich and pass the call along to an other partner service to trigger actions there.

Based on client and partner testimonials, it is confirmed that a robust implementation involves the balanced usage of Webhooks. We are highly recommending using Webhooks for system-to-system notification purposes when the source of the events is a Mambu banking engine. For other use cases, such as calls originating from external systems, we recommend using the Mambu Process Orchestrator instead, so that an individual banking engine doesn't end up being used as an orchestrator system (which is outside of the scope of its banking engine responsibility).

Benefits of using Webhooks


The communication history records every notification to be sent out. The notification is stored with the version of the payload computed at send-out so, in case of failure, the originally computed version of the payload can be resent.

Assured Delivery

The engine backs up the delivery of the notifications with a re-try mechanism built on the exponential back-off pattern. In case of an undelivered notification, the system will attempt to perform the call 5 times at progressively increasing time intervals. If this threshold is reached with no success in the delivery, no automatic retry is performed. A manual, on-demand retry option via the Notifications API can be used for resending individual failed communications and is also available for bulk resend.


Mambu's Webhooks are highly configurable due to:

  • Intuitive URL template for the call destination

  • Payload template which can transport static and dynamic information (through the use of placeholders) in any format to the destination.

  • Support for REST API operations: POST, PUT, PATCH

  • Send data using structured json or xml content types, or simply as plain text


We share your concerns about the safety of your applications and communications, so to prevent your application from being publicly exposed (and potentially called by applications other than your Mambu account) we recommend the usage of a crypto noun (or "secret key") as part of the payload. The secret is known only by the sender and the receiver.

Since this secret will be included within each legitimate Webhook,  your application should check that this key is the expected one before taking any action.

As always, we also highly recommend using HTTPS(TLS v1.2) for all communications to prevent eavesdropping.

Authenticated calls are supported as long as the receivers end is geared up with an authentication layer based on the Basic Auth strategy: username and password.

The target enrolment for Webhooks notification is subscription based. When creating a new Webhook, the user can choose that targets are manually subscribed to the notification (Opt-In) or that targets are automatically subscribed to the notification as soon as it is created and enabled (Opt-Out).

Ask the Mambu Community

If you have a question about how anything works or have come across something you haven't seen explained here, get in touch with our community of fellow users and Mambuvians where someone will lend a hand.

Was This Article Helpful?