Webhooks

Webhooks let your integration react to platform events — most importantly, when a fresh round of holdings, performance, and limits has been computed for a client. Aleta sends them as Standard Webhooks deliveries signed with rotating asymmetric keys, so verifiers can authenticate every payload before acting on it.

Format

Aleta follows the Standard Webhooks specification. Each delivery carries the standard webhook-id, webhook-timestamp, and webhook-signature headers. The body is a JSON envelope:

Name
type
Type
string
Description
Event type. The only public type today is calculated_data.created.
Name
timestamp
Type
ISO 8601 timestamp
Description
When the event occurred on the platform.
Name
data
Type
object
Description
Event payload. Shape depends on type.

Signing

Aleta uses asymmetric ECDSA P-256 signatures rather than the symmetric HMAC variant that Standard Webhooks also permits. Verifiers fetch Aleta's public keys at the keys endpoint, then verify each delivery's webhook-signature against the active set.

Keys rotate. The verification endpoint returns every key currently trusted for delivery — typically the active key plus the most recently retired one — so a verifier mid-rotation can accept signatures from either. Cache the response and refetch when you see a signature that doesn't verify.

Events

Name
calculated_data.created
Type
data
Description
A round of holdings, performance, and limit-compliance computation has finished for a client. Refetch the data endpoints you care about; until you see this event the previous-round numbers may still be returned.
Payload: { "clientId": "..." }.

Example payload

{
  "type": "calculated_data.created",
  "timestamp": "2026-04-30T07:05:18Z",
  "data": {
    "clientId": "6710efbc34673a0a646a45de"
  }
}

GET/api/v2/webhooks/keys

Fetch signing keys

Returns the active set of public keys in JWK format (kty: EC, crv: P-256). Use these to verify the webhook-signature header on incoming deliveries.

Request