Inbound: chargeback ingestion
When you connect a payment processor, Fraud Command Center registers a webhook endpoint so the processor can notify us of new chargebacks. We use those to populate the Chargebacks tab and to feed auto-rule recalibration.
NMI
URL: https://api.fraudcommandcenter.com/v1/webhooks/nmi
Signing: NMI's webhook key (HMAC of the JSON body), stored in store.settings.nmi_webhook_key.
Authorize.Net
URL: https://api.fraudcommandcenter.com/v1/webhooks/authorizenet
Signing: Authorize.Net signature key (SHA-512 HMAC of the body).
Shopify
Shopify webhooks are handled inside the embedded app — you don't configure them yourself. We register orders/create, app/uninstalled, app/scopes_update, and the GDPR compliance webhooks during install.
WooCommerce
Same model — the plugin registers itself with the API. No manual webhook configuration in WP admin.
Outbound: risk-verdict notifications
On Pro and above, Fraud Command Center can POST risk verdicts to a URL you specify. Configure under Settings → Notifications → Webhooks.
Event types
transaction.scored— fired on every initial scoring.transaction.rescored— fired when a transaction is reanalyzed.chargeback.received— fired when a chargeback ingestion completes.review.decided— fired when a merchant records a review decision.
Payload
{
"event": "transaction.scored",
"id": "evt_01HZX0...",
"occurred_at": "2026-05-12T15:23:18Z",
"data": {
"transaction_id": "tx_01HZX0...",
"risk_score": 82,
"risk_level": "critical",
"recommended_action": "hold"
}
}Signing
Outbound webhooks are signed with the same HMAC pattern as the API:
canonical = "{timestamp}.{nonce}.{body}"
signature = hmac_sha256(your_webhook_secret, canonical).hexdigest()Headers: X-FCC-Timestamp, X-FCC-Nonce, X-FCC-Signature.
Retries
Non-2xx responses are retried with exponential backoff for up to 24 hours (5 attempts, 30 s / 2 min / 10 min / 1 h / 6 h). After 24 hours the event is dropped and surfaced in the Webhook deliveries log.