Documentationkeyboard_arrow_right
Banking Serviceskeyboard_arrow_right
Transaction Bankingkeyboard_arrow_right
Connectivitykeyboard_arrow_right
Webhooks
menu

Webhooks Set Up

If you haven't already done so, please:

  • Read our Webhooks Intro Guide here
  • Set up Basic API Authentication here

Step 1: Subscribe to receive payment status webhooks

Reach out to TxB Client Implementation team to subscribe to webhooks. When doing so, you will:

  • Provide a URL to which we will send all webhooks
  • Identify your preferred authentication mechanism. We offer signature verification and mTLS. You can use either or both
  • Identify your preferred event grouping behavior
  • Identify the events for which you want to be notified

Step 2: Receive webhooks

Once the subscription is active, you will start receiving webhook events on your URL of choice with a representative payload:

{
    "deliveryId": "7a484093-f205-4004-9c5f-4c333527656e",
    "events": [
        {
            "eventName": "PAYMENT_STATUS.RELEASED",
            "eventId": "7a484093-f205-4004-9c5f-4c333527656e",
            "eventTimestamp": "2021-02-01T16:56:46.384Z",
            "eventData": {
                "identifiers": {
                    "paymentRequestId": "myuniquepaymentrequest123",
                    "paymentEndToEndId": "trackthispayment123",
                    "gsUniquePaymentId": "gsuniquetracker123",
                    "railReferenceId": {},
                    "gsPostingIds": [
                        "ledgerPostingId123"
                    ]
                },
                "paymentExecutedValueDate": "2021-06-21",
                "amount": 101,
                "amountType": "PAYMENT",
                "paymentCurrency": "USD",
                "paymentStatus": {
                    "status": "RELEASED",
                    "statusTime": "2020-12-01T16:55:42.279Z"
                },
                "returns": {
                    "hasReturnDetails": false
                },
                "cancelations": {
                    "hasCancelationDetails": false
                },
                "cases": {
                    "hasLinkedCases": false
                }
            }
        }
}

Step 3: Authenticate the webhooks

If you plan to authenticate webhooks via mTLS, then reach out to TxB Client Implementation to exchange certs.

If you plan to authenticate webhooks by verifying the signature in the webhook header (X-GS-Signature), then follow the below steps:

GET /v1/keys/{keyId} returns:

{
    "n": "kV5sUJIqR_qONymuDKp7tZfzWbGXLyAPTEnl0HLpb5bOFN-PaukVE_D34pXXYLrMLStKosq0rqC8z_KotRfcSwlpON_AWJwHg6oxWnXRqKo9rVqtr3sj2QP9FtyakozT_PmvDeV3-syic3NtmtY26eN9O6jdVoJ5sfJD6A0whg52PU0Do4XLd7GtXUSD5DSYHfvEu7u9hR1oGXiQeHjTpSmVuj87vO8uBpfauIT-FdfvjHWjsuhS7DbXzGy_KTbwbR8pbLgIpGd194PuO2A55-0HxCNzOM47bg5S2bQkT4ejcs65IY1C-5PqnS3dS9xjcNm-IbYJq98Oio9dX4wl",
    "e": "AQAB",
    "use": "sig",
    "alg": "RS256",
    "kty": "RSA",
    "kid": "abefe829-24d2-4993-b56c-e49502eea61f"
}

Use the key set to confirm that the message was indeed sent by TxB. Cache the key for verification of subsequent webhooks.

Create an RSAPublicKeySpec from the modulus and exponent of the public JWK as shown below

String modulus = “qpaHppHFL4eygwPejubv48lKAGKsIIU4QtczXyxDoYN3Ec81AHgVC4emCcyGTr8VqUfBZvSCzlkJ1_A9t6rrjvAf7oEoamIuc5bC_X35YVVx7F1lo5390biCiwNnmMru0X1HDKZOtL5AZNi6IAll1MP_EGhvzFWRkGvlYe_xsBw7qa7plgtCn-PYfq9oyIyvfteKzV6b_CHObgxnLN9cq1mvr04hDD8uxNtqSna_5PtKiTt0ZUBbYK8sLCDMEA_0-5pKoW8AK3nxQFV7kkke56quwg4bRzwsU7XfWbfPE4ug9bP_VNcM7YLHkzFHdvcbXQUrqggBezlYY5tZJCOuPQ”

String exponent = "AQAB";

BigInteger n = Base64URL.from(modulus).decodeToBigInteger();
BigInteger e = Base64URL.from(exponent).decodeToBigInteger();

RSAPublicKeySpec spec = new RSAPublicKeySpec(n, e);
KeyFactory factory = KeyFactory.getInstance("RSA");
PublicKey publicKey = factory.generatePublic(spec);

Generate a signature using the received payload + timestamp + key ID

String timestamp = "1615786608057";
String keyId = "134b180c-136b-4462-b3ae-1a5249854f6f";

String message = jsonPayload + "\n" + timestamp + "\n" + keyId;
byte[] rawMessage = message.getBytes(StandardCharsets.UTF_8);

Signature signatureSHA256Java = Signature.getInstance("SHA256withRSA");
signatureSHA256Java.initVerify(publicKey);
signatureSHA256Java.update(rawMessage);

Verify this with the received signature (x-gs-signature header)

String signature = "V7n2Ci4kiWXrIO_XdTNxvBsL35Q1lAN6LEjBluLUTs1N-nryW1B_m1X2UBsRsxAjf_5ApQ3x-yR6i7Kbd67KL2nQl2VtpoGR_yG1WZXgDTAHDaF78qrdKTbeXjcmasyKGXHs5uSCKOSsBP96FF-5oGfR3QwDyAl6S_fjqqgyTGU0kqxX2TjOgEeyMhZxg1UOvzYKyaf2DjWZSE-NQBlFl3uPtENkILHdjDbsbuQneHPS3R0-ivpb5FsG2BsS4CP0v1T79m8DhshJ215QAAZnCgJY1svTl3yHYjwIS56EqifQRjfvZGbtM13Xmuj7ONOZZhv9dNfygqTW4rxo4BiKmQ==";

byte[] recdBytes = Base64.getUrlDecoder().decode(signature);
boolean isCorrect = signatureSHA256Java.verify(recdBytes);
Solutions
Curated Data Security MasterData AnalyticsPlotTool ProPortfolio AnalyticsGS QuantTransaction BankingGS DAP®
Docs
Data ServicesPricing & Risk ServicesIndex ServicesHedging ServicesPortfolio ServicesContent ServicesRIA CustodyCommission ManagerTransaction BankingGS SelectGS QuantPlotTool Pro
Learn More
BlogOpen SourceData Partnersdatonomy™CareersAbout Goldman Sachs
Goldman Sachs DeveloperPrivacy and CookiesGS Terms & ConditionsRegulatory DisclosuresSecurity
GS DAP® is owned and operated by Goldman Sachs. This site is for informational purposes only and does not constitute an offer to provide, or the solicitation of an offer to provide access to or use of GS DAP®. Any subsequent commitment by Goldman Sachs to provide access to and / or use of GS DAP® would be subject to various conditions, including, amongst others, (i) satisfactory determination and legal review of the structure of any potential product or activity, (ii) receipt of all internal and external approvals (including potentially regulatory approvals); (iii) execution of any relevant documentation in a form satisfactory to Goldman Sachs; and (iv) completion of any relevant system / technology / platform build or adaptation required or desired to support the structure of any potential product or activity. All GS DAP® features may not be available in certain jurisdictions. Not all features of GS DAP® will apply to all use cases. Use of terms (e.g., "account") on GS DAP® are for convenience only and does not imply any regulatory or legal status by such term.
¹ Real-time data can be impacted by planned system maintenance, connectivity or availability issues stemming from related third-party service providers, or other intermittent or unplanned technology issues.
Transaction Banking services are offered by Goldman Sachs Bank USA (“GS Bank”) and its affiliates. GS Bank is a New York State chartered bank, a member of the Federal Reserve System and a Member FDIC. For additional information, please see Bank Regulatory Information.
Certain solutions and Institutional Services described herein are provided via our Marquee platform. The Marquee platform is for institutional and professional clients only. This site is for informational purposes only and does not constitute an offer to provide the Marquee platform services described, nor an offer to sell, or the solicitation of an offer to buy, any security. Some of the services and products described herein may not be available in certain jurisdictions or to certain types of clients. Please contact your Goldman Sachs sales representative with any questions. Any data or market information presented on the site is solely for illustrative purposes. There is no representation that any transaction can or could have been effected on such terms or at such prices. Please see https://www.goldmansachs.com/disclaimer/sec-div-disclaimers-for-electronic-comms.html for additional information.
Mosaic is a service mark of Goldman Sachs & Co. LLC. This service is made available in the United States by Goldman Sachs & Co. LLC and outside of the United States by Goldman Sachs International, or its local affiliates in accordance with applicable law and regulations. Goldman Sachs International and Goldman Sachs & Co. LLC are the distributors of the Goldman Sachs Funds. Depending upon the jurisdiction in which you are located, transactions in non-Goldman Sachs money market funds are affected by either Goldman Sachs & Co. LLC, a member of FINRA, SIPC and NYSE, or Goldman Sachs International. For additional information contact your Goldman Sachs representative. Goldman Sachs & Co. LLC, Goldman Sachs International, Goldman Sachs Liquidity Solutions, Goldman Sachs Asset Management, L.P., and the Goldman Sachs funds available through Goldman Sachs Liquidity Solutions and other affiliated entities, are under the common control of the Goldman Sachs Group, Inc.
© 2025 Goldman Sachs. All rights reserved.