> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Receive an aggregator webhook

> Receives a Pluggy/Belvo aggregator webhook and asynchronously pulls the signaled data into the ingestion pipeline. This route carries no operator JWT. It is authenticated by an opaque token in the URL path (resolved to a tenant binding server-side, never claimed) PLUS a per-provider source check: a valid HMAC-SHA256 of the raw body in the X-Webhook-Signature header, OR membership in the provider's source-IP allowlist. Both layers fail closed; the tenant is derived solely from the resolved token binding.



## OpenAPI

````yaml en/openapi/v3-current/matcher.yaml post /v1/discovery/webhooks/{provider}/{webhookToken}
openapi: 3.1.0
info:
  title: Matcher APIs
  description: >-
    Complete API reference for the Matcher reconciliation engine, providing
    automated transaction matching between Midaz Ledger and external systems.
  version: 4.1.0
  license:
    name: Elastic License 2.0
    url: https://www.elastic.co/licensing/elastic-license
servers:
  - url: https://matcher.sandbox.lerian.net
security: []
paths:
  /v1/discovery/webhooks/{provider}/{webhookToken}:
    post:
      tags:
        - Discovery
      summary: Receive an aggregator webhook
      description: >-
        Receives a Pluggy/Belvo aggregator webhook and asynchronously pulls the
        signaled data into the ingestion pipeline. This route carries no
        operator JWT. It is authenticated by an opaque token in the URL path
        (resolved to a tenant binding server-side, never claimed) PLUS a
        per-provider source check: a valid HMAC-SHA256 of the raw body in the
        X-Webhook-Signature header, OR membership in the provider's source-IP
        allowlist. Both layers fail closed; the tenant is derived solely from
        the resolved token binding.
      operationId: receiveAggregatorWebhook
      parameters:
        - description: Aggregator provider the token was minted for (pluggy or belvo)
          in: path
          name: provider
          required: true
          schema:
            description: Aggregator provider the token was minted for (pluggy or belvo)
            examples:
              - pluggy
            type: string
        - description: >-
            Opaque webhook token minted for the connection; hashed and resolved
            to a tenant binding server-side
          in: path
          name: webhookToken
          required: true
          schema:
            description: >-
              Opaque webhook token minted for the connection; hashed and
              resolved to a tenant binding server-side
            type: string
        - description: >-
            Hex HMAC-SHA256 of the raw body for signing providers; omitted by
            IP-allowlist providers
          in: header
          name: X-Webhook-Signature
          schema:
            description: >-
              Hex HMAC-SHA256 of the raw body for signing providers; omitted by
              IP-allowlist providers
            type: string
      requestBody:
        content:
          application/octet-stream:
            schema:
              contentMediaType: application/octet-stream
              format: binary
              type: string
        required: true
      responses:
        '202':
          description: Accepted
        default:
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Detail'
          description: Error
      security:
        - {}
        - WebhookSignature: []
components:
  schemas:
    Detail:
      additionalProperties: false
      properties:
        code:
          description: >-
            Stable, machine-readable domain error code scoped to the emitting
            service (format: <SERVICE>-NNNN).
          examples:
            - ERR-0001
          type: string
        detail:
          description: >-
            A human-readable explanation specific to this occurrence of the
            problem.
          examples:
            - Property foo is required but is missing.
          type: string
        errors:
          description: Optional list of individual error details
          items:
            $ref: '#/components/schemas/ErrorDetail'
          type:
            - array
            - 'null'
        instance:
          description: >-
            A URI reference that identifies the specific occurrence of the
            problem.
          examples:
            - https://example.com/error-log/abc123
          format: uri
          type: string
        status:
          description: HTTP status code
          examples:
            - 400
          format: int64
          type: integer
        title:
          description: >-
            A short, human-readable summary of the problem type. This value
            should not change between occurrences of the error.
          examples:
            - Bad Request
          type: string
        type:
          default: about:blank
          description: A URI reference to human-readable documentation for the error.
          examples:
            - https://example.com/errors/example
          format: uri
          type: string
      type: object
    ErrorDetail:
      additionalProperties: false
      properties:
        location:
          description: >-
            Where the error occurred, e.g. 'body.items[3].tags' or
            'path.thing-id'
          type: string
        message:
          description: Error message text
          type: string
        value:
          description: The value at the given location
      type: object
  securitySchemes:
    WebhookSignature:
      description: >-
        Hex HMAC-SHA256 of the raw request body, proving an inbound aggregator
        webhook originated from the configured provider.
      in: header
      name: X-Webhook-Signature
      type: apiKey

````