Webhooks reference
We POST a JSON envelope to your endpoint for each event. Manage endpoints via the dashboard or the
/webhooks API (needs a full-scope key).
Payload
Section titled “Payload”{ "id": "8f0c…", "type": "order.filled", "createdAt": "2026-07-16T12:00:00Z", "data": { "orderId": "…", "status": "Filled", "resource": "energy", "volume": 131000, "totalTrx": "5.502" }}Headers
Section titled “Headers”| Header | Value |
|---|---|
X-TronGas-Event |
event type, e.g. order.filled |
X-TronGas-Delivery |
delivery id (use it to de-duplicate) |
X-TronGas-Timestamp |
Unix seconds (part of the signature) |
X-TronGas-Signature |
sha256=<hex HMAC> |
Verify the signature
Section titled “Verify the signature”The signature is HMAC-SHA256(secret, "{timestamp}.{rawBody}"), hex-encoded. Recompute it from the raw
request body and compare in constant time. Optionally reject old timestamps to prevent replay.
import crypto from "node:crypto";
function verify(rawBody, headers, secret) { const ts = headers["x-trongas-timestamp"]; const sig = headers["x-trongas-signature"]; // "sha256=<hex>" const expected = "sha256=" + crypto.createHmac("sha256", secret).update(`${ts}.${rawBody}`).digest("hex"); return crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected));}Delivery & retries
Section titled “Delivery & retries”We expect a 2xx response. Non-2xx or timeout triggers retries with exponential backoff (about 30s → 6h, up
to 6 attempts) before the delivery is marked failed. See the delivery log per endpoint in the dashboard.