Guides
Start typing to search…

Webhook Updates

We will push real-time notifications to your server whenever there is a change in application status or a new offer is available.

Managing Webhooks

You can manage webhooks (create, read, update, delete) using the webhooks endpoints: Webhooks. These endpoints require the same authentication as all other endpoints.

A typical workflow would be to create a webhook to be notified of every new offer:

$ curl --request POST \
     --url https://partner.sandbox.mulliganfunding.com/iso/api/v1/webhooks \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header "Authorization: Bearer ${TOKEN}" \
     --data '
{
  "event_type": "offer",
  "webhook_url": "https://httpbin.org/post"
}
'
{"uuid": "a20f38a1-343c-4560-895e-0df77cef1a6b", "event_type": "offer", "is_active": true, "webhook_url": "https://httpbin.org/post"}

After that, we can actually immediately fire a test event to our supplied endpoint:

curl --request POST \
     --url https://partner.sandbox.mulliganfunding.com/iso/api/v1/webhooks/test \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --header "Authorization: Bearer ${TOKEN}" \
     --data '{"webhook_uuid": "a20f38a1-343c-4560-895e-0df77cef1a6b"}'

For more information, check the API Reference .

Sample Webhook Request Body

The webhook will include a JSON-encoded request body with the following structure:

{
  "message_type": "application_event", // OR "offer_event"
  "callback_path": "https://partner.mulliganfunding.com/iso/api/v1/applications/1234",
  "status": "app_under_review",
  "application_id": "1234",
  "timestamp": "2026-01-19T20:53:29.879767+00:00",
  "event_id": "09db598b-d245-49e1-979c-7bc6c22c169a",
}

The "status" key is one of our "Webhook Event Statuses", described below.

Webhook Event Statuses Your system should be prepared to handle various status updates, including:

  • app_under_review: Application is being processed.
  • app_funded: The deal has reached completion.
  • app_declined_closed: The application was not approved.
  • app_documentation_pending:
  • app_final_approval:
  • app_incomplete_info: More information is needed to continue processing this application.
  • offer_available: A funding offer has been generated.
  • offer_accepted: An offer has been accepted.
  • offer_rescinded: An offer has been rescinded.

Security & Verification

There are two ways to validate a webhook came from the Mulligan iso-api:

  • Validate JWT in X-Signature header
  • Validate static IP address (listed below)

JWT Signature in Webhook Header

All webhook requests include an X-Signature header containing a JSON Web Token (JWT). To ensure the request originated from Mulligan Funding, you should verify this signature using our public keys.

You can find the public-keys to validate this JWT at the Get JSON Web Key Set endpoint. The Authentication guide includes more information about this signature and validating webhook signatures.

Webhook Client IP Addresses

Mulligan webhooks will originate from one of the following IP addresses, depending on the environment:

sandbox:

  • 40.81.11.94 (Primary)
  • 52.225.50.87
  • 20.245.84.81
  • 20.237.228.32

Production

  • 40.91.91.108 (Primary)
  • 172.179.30.35
  • 4.154.230.90
  • 40.64.77.16
🚧

Note: Currently only the IP addresses labeled "Primary" above are in use, but we are planning to add the other fallback IP addresses to our pool soon, so your system should be prepared to accept any of the above client IP addresses.

Updated about 1 month ago