Notifications: Allowed URLs for Webhooks

Tatum restricts URLs used for webhook notifications to ensure security and reliability.


Accepted URLs

URLs used to receive Tatum webhook notifications must meet these criteria:

  • Use a public domain registered under an allowed public top-level domain (TLD).
    (Example: https://example.com/webhook)

📘

Note

Verify allowed TLDs against the Public Suffix List.


Blocked URLs

Tatum blocks webhook notifications to the following:

  • Domains using private or internal TLDs
    (Examples: .internal, .local, .test)

  • URLs resolving to private IP addresses (localhost, link-local, or private network addresses).
    (Examples: http://localhost:8080, http://192.168.1.1)

  • URLs resolving to these reserved IP address ranges:

Address TypeIP Range
IPv4 Limited Broadcast255.255.255.255/32
IPv4 Multicast224.0.0.0/4
IPv6 Multicastff00::/8

📘

Note

Verify the list of private IP address ranges used by Tatum in the standard Node IP package documentation.


Recommended Practices

  • Use domains with publicly accessible DNS records.
  • Verify your domain resolves to a public IP address.
  • Regularly monitor webhook delivery status from the Tatum Dashboard.