Guides

Webhooks

Webhooks allow your application to receive real-time notifications about events that occur in your Float account. Rather than polling the API repeatedly to check for changes, Float will push notifications to your server as events happen.

Supported Events

Float currently supports the following webhook events for card transactions:

ResourceEventDescription
Card Transactiontransaction.authorizedFired when a card authorization is approved. This occurs in real-time when a cardholder makes a purchase.
transaction.clearedFired when a card transaction is captured and settled by the card network.
transaction.ready_to_exportFired when a transaction reaches the READY_TO_EXPORT accounting stage. This occurs after a transaction has been reviewed and is ready for export to your accounting system.

Event Payload Structure

All webhook events follow a consistent structure:

{
  "id": string,           // Unique event identifier (use for idempotency)
  "type": string,         // Event type (e.g., "transaction.authorized")
  "created_at": string,   // ISO 8601 timestamp when event was created
  "business_id": string,  // UUID of the Float business
  "object": {
    "id": string          // UUID of the affected resource
  }
}

Important: The webhook payload contains only the resource ID. To retrieve full transaction details, make a subsequent API call:

curl -X GET https://api.floatfinancial.com/v1/card-transactions/{transaction_id} \
  -H "Authorization: Bearer YOUR_API_TOKEN"

This design keeps payloads lightweight and allows you to fetch only the data you need with current field selections.

Security

Float signs all webhook requests using HMAC-SHA256. You should verify signatures to ensure requests are genuinely from Float.

Signature Headers

Each webhook request includes three headers:

Float-Signature: sha256=a1b2c3d4e5f6...
Float-Webhook-Id: evt_550e8400e29b41d4a716446655440000
Float-Timestamp: 1718720520
  • Float-Signature: HMAC-SHA256 signature of the signed content
  • Float-Webhook-Id: Unique event identifier (matches event.id)
  • Float-Timestamp: Unix timestamp when the request was sent

Retry Logic

Float automatically retries failed webhook deliveries:

  • Max attempts: 10 retries
  • Backoff strategy: Exponential backoff with jitter
  • Success criteria: HTTP 200-299 response
  • Timeout: 10 seconds per request