> ## Documentation Index
> Fetch the complete documentation index at: https://docs.slash.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set account authorization webhook

> Create or update the authorization webhook configuration for an account. This will upsert the webhook configuration, creating it if it doesn't exist or updating it if it does. 

The secret for a webhook remains static after it is initially created. If you would like to retrieve the secret before sending requests,
create the authorization webhook in status 'inactive' first and then update it to 'active' after.


<Note>
  **Enterprise Feature**: Authorization webhooks are an enterprise-only feature. Please reach out to [sales@slash.com](mailto:sales@slash.com) to get set up with this functionality.
</Note>

The Authorization Request Event schema shows the shape of the event that is sent to the webhook.


## OpenAPI

````yaml put /account/{accountId}/authorization-webhook
openapi: 3.1.0
info:
  title: Slash Public API
  description: API description
  version: 0.0.1
  contact: {}
servers:
  - url: https://api.slash.com
    description: production
security:
  - api_key: []
  - partner_api_key: []
  - bearer: []
  - developer_application: []
paths:
  /account/{accountId}/authorization-webhook:
    parameters:
      - name: accountId
        in: path
        schema:
          type: string
        required: true
    put:
      description: >
        Create or update the authorization webhook configuration for an account.
        This will upsert the webhook configuration, creating it if it doesn't
        exist or updating it if it does. 


        The secret for a webhook remains static after it is initially created.
        If you would like to retrieve the secret before sending requests,

        create the authorization webhook in status 'inactive' first and then
        update it to 'active' after.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                webhookUrl:
                  type: string
                  description: The URL where authorization webhook events will be sent
                status:
                  type: string
                  enum:
                    - active
                    - inactive
                  description: Current status of the webhook
                config:
                  $ref: '#/components/schemas/AuthorizationWebhookConfig'
                  description: Configuration specific to the authorization webhook
                  x-entrypoint:
                    virtualPath: schemas/AuthorizationWebhookConfig
                    sourcePath: schemas/AuthorizationWebhookConfig.yaml
                    title: AuthorizationWebhookConfig
                    origin: ./src/publicApi
              required:
                - webhookUrl
                - status
                - config
      responses:
        '200':
          description: Authorization webhook created or updated successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthorizationWebhook'
                x-entrypoint:
                  virtualPath: schemas/AuthorizationWebhook
                  sourcePath: schemas/AuthorizationWebhook.yaml
                  title: AuthorizationWebhook
                  origin: ./src/publicApi
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '429':
          description: TooManyRequests
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '500':
          description: Internal Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - api_key: []
        - bearer: []
components:
  schemas:
    AuthorizationWebhookConfig:
      description: >
        Configuration specific to the authorization webhook, discriminated on
        `fallbackBehavior`.


        The fallback behavior is used when the webhook cannot produce an answer
        — it fails to send a response in time, sends an invalid response, or
        cannot be reached (including while Slash is operating in a degraded mode
        where external webhooks cannot be consulted):

        - `reject`: the transaction is declined.

        - `default`: the transaction continues through Slash's standard
        authorization flow (balance and limit checks still apply). If a `when`
        condition is provided, only transactions matching the condition
        continue; non-matching transactions are declined.
      oneOf:
        - type: object
          description: >-
            Always decline the transaction when the webhook cannot produce an
            answer.
          properties:
            fallbackBehavior:
              type: string
              enum:
                - reject
              description: The transaction will be declined.
          required:
            - fallbackBehavior
        - type: object
          description: >
            Continue the transaction through the standard authorization flow
            when the webhook cannot produce an answer — for every transaction,
            or only for transactions matching the optional `when` condition.
          properties:
            fallbackBehavior:
              type: string
              enum:
                - default
              description: >-
                The transaction will continue to run through the standard
                authorization flow (e.g. the balance check).
            when:
              $ref: '#/components/schemas/AuthorizationWebhookCondition'
              description: >
                Optional condition restricting which transactions the `default`
                fallback applies to: matching transactions continue through the
                standard authorization flow, non-matching transactions are
                declined. Omit to apply the `default` fallback to every
                transaction.
              x-entrypoint:
                virtualPath: schemas/AuthorizationWebhookCondition
                sourcePath: schemas/AuthorizationWebhookCondition.yaml
                title: AuthorizationWebhookCondition
                origin: ./src/publicApi
          required:
            - fallbackBehavior
      x-entrypoint:
        virtualPath: schemas/AuthorizationWebhookConfig
        sourcePath: schemas/AuthorizationWebhookConfig.yaml
        title: AuthorizationWebhookConfig
        origin: ./src/publicApi
      title: AuthorizationWebhookConfig
    AuthorizationWebhook:
      type: object
      properties:
        webhookUrl:
          type: string
          description: The URL where authorization webhook events will be sent
        signingSecret:
          type: string
          description: Secret used for signing webhook payloads
        status:
          type: string
          enum:
            - active
            - inactive
          description: Current status of the webhook
        timeoutDurationMs:
          type: integer
          description: The timeout duration in milliseconds for webhook requests
        config:
          $ref: '#/components/schemas/AuthorizationWebhookConfig'
          description: Configuration specific to the authorization webhook
          x-entrypoint:
            virtualPath: schemas/AuthorizationWebhookConfig
            sourcePath: schemas/AuthorizationWebhookConfig.yaml
            title: AuthorizationWebhookConfig
            origin: ./src/publicApi
        createdAt:
          type: string
          format: date-time
          description: When the webhook was created
        updatedAt:
          type: string
          format: date-time
          description: When the webhook was last updated
      required:
        - webhookUrl
        - signingSecret
        - status
        - timeoutDurationMs
        - config
        - createdAt
        - updatedAt
      x-entrypoint:
        virtualPath: schemas/AuthorizationWebhook
        sourcePath: schemas/AuthorizationWebhook.yaml
        title: AuthorizationWebhook
        origin: ./src/publicApi
      title: AuthorizationWebhook
    Error:
      type: object
      properties:
        message:
          type: string
        name:
          type: string
        identifier:
          type: string
        rawStatus:
          type: number
        meta:
          type: object
          additionalProperties: true
      required:
        - message
        - name
        - identifier
        - rawStatus
      x-entrypoint:
        origin: ./src/publicApi
        sourcePath: ./src/publicApi/main.yaml
        title: Error
        virtualPath: components/Error
      title: Error
    AuthorizationWebhookCondition:
      description: >
        A condition expression evaluated against a card authorization, used to
        decide whether the `default` fallback behavior applies to that
        transaction.


        Conditions form a small expression tree:

        - Logical nodes (`and` / `or`) combine two sub-conditions and can be
        nested.

        - Comparison leaves (`lte`, `lt`, `gte`, `gt`, `eq`) test the
        transaction amount (`amountCents`, the absolute amount in USD cents).

        - Set-membership leaves (`in`) test whether the transaction's
        `merchantCategoryCode` (4-digit MCC) or `merchantCountry` (ISO 3166-1
        alpha-2, as delivered on the authorization request event's
        `merchant.location.country`) is one of the given values.


        A condition over a field the authorization request did not carry
        evaluates to false.
      oneOf:
        - type: object
          description: >
            Logical node: combines two sub-conditions with `and` (both must
            match) or `or` (either must match). Sub-conditions may themselves be
            logical nodes.
          properties:
            operator:
              type: string
              enum:
                - and
                - or
              description: How the two sub-conditions are combined.
            left:
              $ref: '#/components/schemas/AuthorizationWebhookCondition'
              description: The first sub-condition.
              x-entrypoint:
                virtualPath: schemas/AuthorizationWebhookCondition
                sourcePath: schemas/AuthorizationWebhookCondition.yaml
                title: AuthorizationWebhookCondition
                origin: ./src/publicApi
            right:
              $ref: '#/components/schemas/AuthorizationWebhookCondition'
              description: The second sub-condition.
              x-entrypoint:
                virtualPath: schemas/AuthorizationWebhookCondition
                sourcePath: schemas/AuthorizationWebhookCondition.yaml
                title: AuthorizationWebhookCondition
                origin: ./src/publicApi
          required:
            - operator
            - left
            - right
        - type: object
          description: >
            Amount comparison leaf: tests the absolute transaction amount in USD
            cents against `value`.
          properties:
            operator:
              type: string
              enum:
                - lte
                - lt
                - gte
                - gt
                - eq
              description: >-
                The comparison to apply: less-than-or-equal, less-than,
                greater-than-or-equal, greater-than, or equal.
            field:
              type: string
              enum:
                - amountCents
              description: >-
                The transaction field being compared. Amounts are compared as
                absolute values in USD cents.
            value:
              type: integer
              description: The amount in USD cents to compare against.
          required:
            - operator
            - field
            - value
        - type: object
          description: >
            Set-membership leaf: tests whether the transaction's merchant
            category code or merchant country is one of `values`.
          properties:
            operator:
              type: string
              enum:
                - in
              description: Matches when the transaction's field value is one of `values`.
            field:
              type: string
              enum:
                - merchantCategoryCode
                - merchantCountry
              description: >-
                `merchantCategoryCode` is the 4-digit MCC; `merchantCountry` is
                the ISO 3166-1 alpha-2 merchant country.
            values:
              type: array
              items:
                type: string
              description: The set of values to match against.
          required:
            - operator
            - field
            - values
      x-entrypoint:
        virtualPath: schemas/AuthorizationWebhookCondition
        sourcePath: schemas/AuthorizationWebhookCondition.yaml
        title: AuthorizationWebhookCondition
        origin: ./src/publicApi
      title: AuthorizationWebhookCondition
  securitySchemes:
    api_key:
      type: apiKey
      description: |
        API key authentication for public API requests.

        Keys come in two flavors:

        - *Legal-entity-scoped keys* are pinned to a single legal entity.
          Minted via the dashboard under a specific entity; every request
          acts on that entity.
        - *User-scoped keys* are pinned to a user and span every legal
          entity that user has access to. Every request made with a
          user-scoped key (except `GET /legal-entity`, which lists the
          legal entities the user can access) must include an
          `x-legal-entity` header naming the legal entity the request is
          operating on. Requests without the header are rejected with
          `400`. The authenticated user must have an active permission
          role on the supplied legal entity, otherwise the request is
          rejected with `403`.
      name: X-API-Key
      in: header
    partner_api_key:
      type: apiKey
      description: |
        Partner-program API key authentication.

        Keys are minted in the partner dashboard (Developers → API Keys),
        are scoped to a single partner program, and are prefixed with
        `sk_partner_`. Partner keys are only accepted by routes that
        declare this scheme; they are rejected by `api_key` routes and
        vice versa.
      name: X-API-Key
      in: header
    bearer:
      type: http
      scheme: bearer
    developer_application:
      type: http
      scheme: basic

````