Skip to content

Webhooks reference

We POST a JSON envelope to your endpoint for each event. Manage endpoints via the dashboard or the /webhooks API (needs a full-scope key).

{
"id": "8f0c…",
"type": "order.filled",
"createdAt": "2026-07-16T12:00:00Z",
"data": { "orderId": "", "status": "Filled", "resource": "energy", "volume": 131000, "totalTrx": "5.502" }
}
Header Value
X-TronGas-Event event type, e.g. order.filled
X-TronGas-Delivery delivery id (use it to de-duplicate)
X-TronGas-Timestamp Unix seconds (part of the signature)
X-TronGas-Signature sha256=<hex HMAC>

The signature is HMAC-SHA256(secret, "{timestamp}.{rawBody}"), hex-encoded. Recompute it from the raw request body and compare in constant time. Optionally reject old timestamps to prevent replay.

import crypto from "node:crypto";
function verify(rawBody, headers, secret) {
const ts = headers["x-trongas-timestamp"];
const sig = headers["x-trongas-signature"]; // "sha256=<hex>"
const expected =
"sha256=" + crypto.createHmac("sha256", secret).update(`${ts}.${rawBody}`).digest("hex");
return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
}

We expect a 2xx response. Non-2xx or timeout triggers retries with exponential backoff (about 30s → 6h, up to 6 attempts) before the delivery is marked failed. See the delivery log per endpoint in the dashboard.