Release Notes

Withdrawals SDK: Webhook header update + payment_id field now included in /client_auth_token response

Release date

June 13th, 2025

Release type

Action is required if you fall into any of the below buckets:

  • You currently consume any webhooks of ours
  • You currently use the Account Funding: Withdrawals product

Summary

Payments webhooks: new timestamp header

📢 Security Enhancement

To strengthen webhook security against replay attacks, we’ve introduced a new mechanism that includes a timestamp and new signature headers. These additions allow you to verify not only the authenticity of a webhook, but also its timeliness, helping prevent intercepted messages from being reused maliciously.

🔄 Graceful Transition Plan

To allow a smooth migration, both the existing and new security headers will be sent during a grace period. We encourage clients to begin validating the new headers as soon as possible, as the old headers will be deprecated in the future.

✅ Current headers: Will continue to be sent during the transition.

✅ New headers: Available now for improved protection.

❌ Deprecated: The old signature-only verification will be phased out after the grace period (cutover date is August 12th, 2025).

🔧 Header Reference

Standard Headers

NameDescription
x-zh-hook-notification-idUnique identifier for the notification. Use for idempotency checks.
x-zh-hook-payload-typeType of payload (e.g., participant_status_changed, payment_status_changed, etc.).

Depending on your security configuration, additional headers may also be included:

Current Security Headers (Legacy)

NameDescription
x-zh-hook-signature-256to_hex(hmac(sha_256(payload), your-secret))used if token-based signing was configured.
x-zh-hook-rsa-signature-256to_hex(rsa(sha_256(payload), zh-sec-key))— RSA signature of payload.

New Security Headers (Replay Attack Protection)

NameDescription
x-zh-hook-timestampUNIX timestamp (in milliseconds) when the webhook request was generated. Clients should validate that this value is within an acceptable window (e.g., ±5 minutes) of their system clock.
x-zh-hook-signatureto_hex(hmac(sha256(payload + timestamp), your-secret)) — includes timestamp in signature for replay protection.
x-zh-hook-rsa-signatureto_hex(rsa(sha256(payload + timestamp), zh-sec-key)) — RSA signature of payload + timestamp.

/client_auth_token response: new payment_id field

We will now be providing the payment_id on the response of the POST /client_auth_token call If the permission = crypto-withdrawals or crypto-payouts. This payment_id will then be included in all subsequent payment webhook events associated with that SDK session. This payment_id is also included in the GET /payments/{payment_id} call.

Action required

  • For any Platforms that are currently consuming any webhooks of ours, the grace period to transition to our new webhook verification convention will end on August 12th, 2025. We'll send periodic reminders and as always can offer technical support if there are any questions.
  • For those Platforms that are using the Account Funding: Withdrawal product, please begin to consume the payment_id from the POST /client_auth_token as soon as possible. We'll then schedule a conformance test in accordance with the requirements laid out in the Withdrawals - Reconciliation guide.

Endpoints impacted

  • POST /client_auth_token

Relevant documentation

Polkadot Asset Hub tokens support


Release date

June 11th, 2025

Release type

Informational – Optional action from platforms.

Summary

Zero Hash now supports the following Polkadot Asset Hub assets on our platform:

  • DOT (native token)
  • USDC
  • USDT

This includes the ability to deposit, hold and withdraw funds on the native chain of these assets.

📘

USDT not available in CERT environment

Note that USDT is not available in CERT for testing. We recommend use USDC instead for CERT testing.

NY supported

Only the asset DOT is supported in NY State. USDC and USDT on Asset Hub are NOT supported on NY State.

Action required

No action required by the platforms, these assets are enabled automatically for your use.

Endpoints impacted

No endpoints impacted. When the asset is required on an action, just use the proper notation:

  • DOT.DOTHUB
  • USDC.DOTHUB
  • USDT.DOTHUB

Relevant documentation

Metadata field added to Participant Full Information endpoint

Release type

Informational – Optional action from platforms.

Summary

A new field was added to the participants information sharing endpoint:

  • Metadata (object): Can be used to submit any additional unstructured metadata

This field will relay the content of metadata sent by the platform when creating the participant. This field is part of the participant creation endpoint and entity creation endpoint.

The information now is incorporated into the following endpoint payload:

  • GET /participant/{participant_code}/full_info

Action required

No action needed from platforms. The field will be included on the payload as described.

Platforms who want to access the Full Information endpoint need to contact client support to have this endpoint enabled.

Endpoints impacted

  • GET /participant/{participant_code}/full_info

Relevant documentation

Control Persons and Ultimate Business Owners information endpoint

Jun 3, 2025

Release type

Informational – Optional action from platforms.

Summary

There is a new endpoint under the Participant information sharing endpoints that allows the platform to access the information of Control Persons or Ultimate Business Owners of an entity with a participant code in Zero Hash.

  • GET /participant/{participant_code}/full_info/cp_bo
  • GET /participant/{participant_code}/sanction_screening_info/cp_bo
  • GET /participant/{participant_code}/basic_info/cp_bo

This endpoint will provide the Control Person / Ultimate Business Owner information according to the PII access level the platform is certified for.

For more information on this, refer to the following documentation:

https://docs.zerohash.com/changelog/participant-information-sharing-with-platform#summary

Action required

No action needed from platforms. The endpoint will be available upon release.

Platforms who want to access the Full Information endpoint need to contact client support to have this endpoint enabled.

Endpoints impacted

  • GET /participant/{participant_code}/full_info/cp_bo
  • GET /participant/{participant_code}/sanction_screening_info/cp_bo
  • GET /participant/{participant_code}/basic_info/cp_bo

Relevant documentation

Payouts SDK

Release Details

Release Date: June 2nd, 2025

Release Type

Informational – optional action from platforms

Summary

Zero Hash is pleased to announce the launch of the Payouts SDK - an embeddable, low-code widget that allows Platforms to offer stablecoin (and crypto) payouts to their end customers.

Use Cases

  • Gig economy payouts: Instantly pay freelancers, creators, and contractors in stablecoins or crypto - no more waiting days for bank transfers.
  • Marketplace payouts: Let sellers withdraw earnings in stablecoins or crypto for faster, global, low-fee access to their funds.
  • Cross-border payroll: Pay remote teams or international employees without the friction of traditional banking rails.
  • Creator economy: Enable platforms like streaming services, music apps, or influencer platforms to pay creators in real-time using stablecoins or crypto.
  • Affiliate & partner rewards: Instantly settle commissions and partner earnings globally with fewer currency conversion headaches.
  • DeFi and crypto-native platforms: Add stablecoin or crypto payouts for dApps or web3 tools that need to distribute funds or earnings.

How it works

  • See end to end integration guide here

Webhooks: Trade Status and Balance Updates

Release Details

Release Date: May 12th, 2025

Release Type

Informational – optional action from platforms

Summary

Trade status and balance updates are now available via webhooks. This enhancement provides more granular and timely information on trade settlement, the flow of crypto assets, and authoritative changes to account balances held at Zero Hash. To enable this feature, please reach out to your Zero Hash rep and they will configure your Platform accordingly.

New webhook notifications:

  1. trade.status_changed
  2. account_balance.changed

For more information about configuration and handling webhook payloads, visit the Webhooks Overview page.

Trade Status Changed

Trade status notifications provide information about the current trade status. Net Settlement Trades (a.k.a allocation trades) are filtered out and thus don’t generate a notification for the platforms. There are 3 types of status change notifications:

  • accepted - the trade was successfully submitted, accepted, and pending settlement
  • active - within the settlement window, settlement was attempted but is not yet complete
  • terminated - trade was successfully settled; no further status updates will be issued

Note: The x-zh-hook-payload-type must be set to trade_status_changed

While the schema closely follows the existing GET /trades/{trade_id} endpoint, it does NOT contain EVERY field exposed by the endpoint, such as:

  • "accepted_timestamp"
  • "defaulted_timestamp"
  • "settled_timestamp"
  • "last_update"
  • "settlement_timestamp"
  • "expiry_timestamp"
  • "spread_notional"
  • "spread_bps"
  • "session_id"
  • “payment_processor”
  • “fees”
  • “batch_trade_id“

Any additional or supplementary information should still be fetched from GET /trades/{trade_id} endpoint.

Balance Changed

Account balance change notification provides information about the current available account balance. A notification is emitted when the account balance changes for the following account types:

  • available
  • collateral

Note: The x-zh-hook-payload-type must be set to account_balance.changed.

The schema of the event payload will follow the existing private websocket balance updates feed

Relevant Documentation

New network supported: Worldchain

Release Details

  • Release Date: April 30th, 2025

Release Type

Informational – Optional action from platforms

Summary

Zero Hash is pleased to announce support for the Worldchain network. Worldcoin on Worldchain (WLD.WORLDCHAIN) and Ethereum on Worldchain (ETH.WORLDCHAIN) has been added to buy, sell, deposit, withdraw and account funding in both our Cert and Prod environments.

These assets are not currently transact-able by New York residents. A future release note will be created once New York support is enabled.

Action Required

These assets are immediately available using the symbols (WLD.WORLDCHAIN) and (ETH.WORLDCHAIN)

Endpoints Impacted

There are no changes to existing endpoints as a result of this launch.

Relevant Documentation

For a full list of supported assets and instruments, please use the links below.

Account Funding: Customer sub-accounts

Release Details

Release Date: April 16th, 2025

Release Type

Informational – optional action from platforms

Summary

The Account Funding product now supports sub-accounting. It's common for platforms to offer their customers the ability to create multiple accounts. For instance, a brokerage may allow customers to open separate trading accounts for tax optimization, risk management, differentiated trading strategies, or to simply organize investments by distinct goals.

As a result, it's essential that Zero Hash provides the flexibility to segregate transactions based on the specific account in use - enter Customer sub-accounts.

There is a new optional query param called the account_label which has been added to the following Account Funding SDK's

Read the end-to-end integration guide to see this new feature in action. At a high-level, here are the impacts:

Funding

  • The Platform will acquire an access token the same way they do today, just additionally specifying an account_label on the call
  • Zero Hash will save this and attach it to an address once the user selects the Asset and Network
  • Once the Customer deposits, Zero Hash will:
    • Recognize the deposit, where the account will have the specified account_label
    • Auto-convert the asset to USD
    • Auto-transfer the USD to the Platform (if configured for this)
    • Send a Fund webhook with the specified account_label in the payload
  • The Platform will also be able to retroactively query GET /fund/transactions and see the proper account_label associated with the transaction

Withdrawal

  • The Platform will acquire an access token for the Account Link SDK identically to how they do today. No change here
  • The Platform will acquire an access token for the Withdraw SDK the same way they do today, just additionally specifying an account_label on the call
  • The Customer will initiate a withdrawal on the SDK, triggering the following
    • Auto-convert from the Float account to the asset (no change)
    • Auto-disburse the asset to the destination address, debiting the Customer's account with the specified account_label
    • Send a Payments webhook with the specified account_label in the payload

Products Impacted

Account Funding - this impacts both the SDK and API

Relevant Documentation

Account Funding: More available assets

Release Details

Release Date: April 3rd, 2025

Release Type

Informational – optional action from platforms

Summary

Account Funding SDK (BTC example)

Account Funding SDK (BTC example)

The Account Funding product has added additional asset support for both the API and the SDK:

Asset NameAsset.Network
AaveAAVE.ETH
CardanoADA
AlgorandALGO
Ape CoinAPE.ETH
AptosAPT
Avalanche C-ChainAVAX
Basic Attention TokenBAT.ETH
Bitcoin CashBCH
BitcoinBTC
DaiDAI.ETH
DogecoinDOGE
MultiversXEGLD
Enjin CoinENJ.ETH
EOSEOS
EthereumETH / ETH.BASE / ETH.OPTIMISM
The GraphGRT.ETH
HederaHBAR
Kyber NetworkKNC.ETH
ChainlinkLINK.ETH
LitecoinLTC
Polygon MATIC (ERC20)MATIC.ETH
Polygon (Native)MATIC.POLYGON
Paypal USDPYUSD.ETH / PYUSD.SOL
Ripple USDRLUSD.XRP / RLUSD.ETH
SHIBA INUSHIB.ETH
SolanaSOL
SuiSUI
UniswapUNI.ETH
USDC Coin (Hedera)USDC.HBAR
TetherUSDT.ETH
Tether (Polygon)USDT.POLYGON
Tether (Solana)USDT.SOL
StellarXLM
RippleXRP
TezosXTZ
0xZRX.ETH

Prior to this release, Account Funding supported the following:

Asset NameAsset.Network
USDC Coin (Arbitrum)USDC.ARBITRUM
USDC Coin (Avalanche)USDC.AVAX
USDC Coin (Base)USDC.BASE
USDC Coin (Ethereum)USDC.ETH
USDC Coin (Optimism)USDC.OPTIMISM
USDC Coin (Polygon)USDC.POLYGON
USDC Coin (Solana)USDC.SOL
USDC Coin (SUI)USDC.SUI

This brings the total asset support to 37 across 19 different networks

Configuration

Platforms can choose which assets they'd like configured. The process for making this configuration is to reach out to your Zero Hash contact, who can then make a quick adjustment on our end.

How it works - Deposit

Select Asset


Select Network

This is what the screen would like if USDT was selected prior, for example. For single-network assets like BTC, this screen is skipped

This is what the screen would like if USDT was selected prior, for example. For single-network assets like BTC, this screen is skipped


Transaction Pending

At this point, the user should be navigating to their wallet or exchange app and initiating a "push" transaction from there to the address shown on this screen

At this point, the user should be navigating to their wallet or exchange app and initiating a "push" transaction from there to the address shown on this screen

The user is presented with the address, a calculator and a rate:

  • Address: The address that the user should send the asset to
  • Calculator: A helpful tool for users to get an approximate fiat conversion amount for their desired deposit quantity
  • Rate: A non-executable current price of the asset. Deposits will be converted at the price at the time of deposit

Calculator

Users can estimate how much their deposit will be converted into. Rates on this screen are solely estimates.

Users can estimate how much their deposit will be converted into. Rates on this screen are solely estimates.


Asset Deposited and Converted

Once the user's deposit has confirmed on-chain, Zero Hash will automatically and immediately liquidate the deposited asset into fiat currency (ie, USD) at the current prevailing rate.

How it works - Withdrawal

The above described assets are also now available to be withdrawn using the Account Link + Withdraw SDK

Account Link SDK

Withdraw SDK

Action Required

If you're interested in configuring your SDK for these additional assets, please reach out to your Zero Hash contact. It is a quick process for us to make this configuration.

Products Impacted

Account Funding - this impacts both the SDK and API

Relevant Documentation