Integrations

Integrations & Delivery

Connect FinTrakker alerts to your existing compliance workflow. Six delivery channels to fit how your team works.

Email Alerts

Live

Branded, formatted email alerts sent directly to your inbox. Each alert includes the entity name, state, license type, license number, change description, and a direct link to the source portal. Configure digest frequency from your account settings.

✓ Immediate alert on change detection
✓ Daily or weekly digest option
✓ Per-product branded template
✓ Severity level prominently displayed
✓ Direct link to source portal
✓ Unsubscribe controls included

Webhooks

Live

HTTPS POST to your endpoint. Each delivery includes a JSON payload with the full alert data and an HMAC-SHA256 signature in the X-Firmhound-Signature header for verification. Retry logic handles transient failures.

✓ HTTPS endpoints only (SSRF protected)
✓ HMAC-SHA256 signature on every request
✓ 3 retry attempts with exponential backoff
✓ alert.created event type
✓ Register via API or account settings
✓ Available on Professional and Enterprise

RSS Feed

Live

Public RSS 2.0 feed of the 20 most recent alerts. No authentication required. Subscribe in any RSS reader, connect to Zapier, or parse with any standard XML library. Includes severity metadata in the feed items.

✓ No auth required — fully public
✓ Standard RSS 2.0 format
✓ 20 most recent alerts
✓ Severity metadata in item elements
✓ Works with any RSS reader

https://firmhound.com/feed/fintrakker

CSV Export

Live

Download filtered alert history as CSV via the API endpoint GET /alerts/export. Apply date range, state, and alert type filters before exporting. Ideal for compliance documentation, board reports, and audit records. Available on Professional and Enterprise plans.

✓ Full filter support (date, state, type)
✓ Includes all alert fields
✓ UTF-8 encoded, RFC 4180 compliant
✓ Available via API or dashboard
✓ Professional and Enterprise plans

Zapier / Make

Coming Soon

Native Zapier and Make (Integromat) connectors are in development. These will enable no-code automations from FinTrakker alerts to Slack, Microsoft Teams, Jira, ServiceNow, PagerDuty, and hundreds of other tools without writing code.

✓ Zapier native app
✓ Make (Integromat) native app
✓ Slack, Teams, Jira triggers
✓ No code required

In the meantime, use webhooks to connect to Zapier or Make via their webhook trigger modules.

Direct API

Live

Full RESTful JSON API with JWT authentication. Query alerts, export data, manage webhooks, and integrate FinTrakker into any custom workflow or compliance management system. See the API documentation for all endpoints and code samples.

✓ RESTful JSON API
✓ JWT authentication
✓ 100 req/min (Starter), 1,000/min (Pro)
✓ Full alert query and filter support
✓ Webhook management endpoints

View API Documentation →

Webhook Reference

Webhook delivery specification

Every webhook delivery is a signed HTTPS POST with JSON body and the X-Firmhound-Signature header. Verify the signature on every request before processing the payload.

Payload structure

{
  "event": "alert.created",
  "data": {
    "id": "alt_7f4a2c8e",
    "product_id": "fintrakker",
    "title": "TX Money Transmitter License — Renewal Due in 7 Days",
    "description": "Your Texas MTL (TX-DOB-MT-2024-00481) expires Apr 26, 2026.",
    "severity": "critical",
    "published_at": "2026-04-19T07:17:00Z",
    "source_url": "https://www.dob.texas.gov/licensing",
    "metadata": {
      "state": "TX",
      "license_type": "Money Transmitter",
      "license_number": "TX-DOB-MT-2024-00481",
      "nmls_id": "4481209",
      "expires_at": "2026-04-26T00:00:00Z",
      "days_until_expiry": 7
    }
  }
}

Delivery specifications

✓ HTTPS endpoints only. HTTP URLs are rejected. Private IP addresses (10.x, 172.16.x, 192.168.x, 127.x) are blocked.
✓ Timeout: 10 seconds. If your endpoint does not respond within 10 seconds, the delivery is marked as failed and retried.
✓ Retry policy: 3 attempts with exponential backoff (5 min, 30 min, 2 hr). After 3 failures the webhook is paused and you are notified.
✓ The X-Firmhound-Signature header contains a timestamp and HMAC-SHA256 digest to prevent replay attacks.

Signature verification (Python)

import hmac
import hashlib
import time

WEBHOOK_SECRET = "your_webhook_secret"  # From your webhook settings

def verify_signature(payload_body: bytes, signature_header: str) -> bool:
    """Verify HMAC-SHA256 webhook signature from Firmhound."""
    if not signature_header:
        return False

    # Header format: "t=TIMESTAMP,v1=SIGNATURE"
    parts = dict(p.split("=", 1) for p in signature_header.split(","))
    timestamp = parts.get("t", "")
    sig = parts.get("v1", "")

    # Reject if timestamp is more than 5 minutes old
    if abs(time.time() - int(timestamp)) > 300:
        return False

    # Compute expected signature
    signed_payload = f"{timestamp}.{payload_body.decode()}"
    expected = hmac.new(
        WEBHOOK_SECRET.encode(),
        signed_payload.encode(),
        hashlib.sha256
    ).hexdigest()

    return hmac.compare_digest(expected, sig)

# Flask example
from flask import Flask, request, abort

app = Flask(__name__)

@app.route("/webhook/fintrakker", methods=["POST"])
def handle_webhook():
    sig = request.headers.get("X-Firmhound-Signature", "")
    if not verify_signature(request.get_data(), sig):
        abort(401)
    data = request.get_json()
    alert = data["data"]
    print(f"Alert received: [{alert['severity'].upper()}] {alert['title']}")
    return "", 200