Skip to content

FMS Webhooks

This page documents the JSON payloads your Fraud Management System (FMS) will receive from the Waspada Gateway. These schemas are designed for automated processing — no human intervention required for alert triage.

Overview

Partner SDK → Waspada Gateway → Your FMS Webhook

                    ├── RS256 JWT Verification
                    ├── PII Filter (defense-in-depth)
                    ├── RDAP Domain Enrichment
                    └── FMS Alert Formatting

PII-stripped payloads

The WaspadaTelemetryPayload sent by the SDK is stripped of NRIC, phone, and email on the client. The Gateway runs a secondary filter as defense-in-depth. Absolute “zero PII egress” is not claimed — scammer aliases may egress under partner policy (hash / include / omit).

Webhook Endpoint

Configure your FMS to accept POST requests:

POST https://your-fms.bank.com.my/api/waspada/alerts
Content-Type: application/json
Authorization: Bearer <gateway-jwt>

FMS Risk Alert Schema

This is the payload your webhook receives:

json
{
  "alert_id": "waspada_alert_a1b2c3d4e5f6",
  "version": "2.1",
  "timestamp_utc": "2026-07-08T14:32:01.456Z",
  "source_sdk_version": "0.1.0",

  "urgency": "HIGH",
  "action_requested": "FREEZE_MULE_ACCOUNT",

  "indicators": {
    "target_mule_account": "1234567890",
    "mule_bank_bic": "MBBEMYKL",
    "scammer_alias": "AHMAD BIN ALI",
    "malicious_urls": [
      "https://scam-site.example.com/pay"
    ]
  },

  "enrichment": {
    "domain_analysis": [
      {
        "url": "https://scam-site.example.com/pay",
        "registrar": "NameCheap Inc.",
        "registration_date": "2026-06-15",
        "domain_age_days": 23,
        "risk_flag": "NEWLY_REGISTERED"
      }
    ]
  },

  "extraction_metadata": {
    "extraction_tier": "HYBRID",
    "confidence": 0.92,
    "document_type": "PDF",
    "processing_latency_ms": 87
  },

  "client_verification": {
    "extraction_tier": "HYBRID",
    "sdk_version": "0.1.0",
    "platform_attestation": null,
    "local_crypto_hash": "sha256:a1b2c3..."
  },

  "gateway_signature": "gw_sig_7f8e9d0c1b2a3456"
}

Field Reference

Root Fields

FieldTypeDescription
alert_idstringUnique alert identifier (prefixed waspada_alert_)
versionstringAlert schema version
timestamp_utcstringISO 8601 timestamp
urgency"HIGH" | "MEDIUM" | "LOW"Alert priority for triage
action_requestedstringRecommended bank action

Urgency Levels

LevelTriggerRecommended Response Time
HIGHMule account number + bank BIC identified< 15 minutes
MEDIUMPartial indicators (alias only, or URL only)< 1 hour
LOWInformational (domain analysis, no account)Best effort

Action Codes

CodeDescription
FREEZE_MULE_ACCOUNTSuspected mule account identified — freeze immediately
FLAG_FOR_REVIEWPartial evidence — queue for manual analyst review
INFORMATIONALDomain intelligence only — no immediate account action

indicators Object

FieldTypeDescription
target_mule_accountstring | undefinedSuspected mule's bank account number
mule_bank_bicstring | undefinedSWIFT/BIC code of the mule's bank
scammer_aliasstring | undefinedName/alias extracted from evidence
malicious_urlsstring[] | undefinedSuspicious URLs found in evidence

What You Will NOT Receive

  • Victim's name
  • Victim's NRIC / IC number
  • Victim's phone number
  • Victim's bank account number
  • Transaction amounts
  • Any other PII

These are stripped at the SDK level before transmission.

enrichment.domain_analysis Array

Each malicious URL is enriched via RDAP lookup:

FieldTypeDescription
urlstringThe suspicious URL
registrarstringDomain registrar
registration_datestringDomain registration date
domain_age_daysnumberAge since registration
risk_flagstringRisk indicator

Risk Flags:

FlagMeaning
NEWLY_REGISTEREDDomain < 30 days old (common scam pattern)
PRIVACY_PROTECTEDWHOIS privacy enabled (suspicious for financial sites)
RDAP_UNREACHABLERDAP server unavailable (cannot verify)

Telemetry Payload Schema

This is the raw payload sent by the SDK to the Gateway (before enrichment):

typescript
interface WaspadaTelemetryPayload {
  event_id: string;              // UUID v4
  timestamp_utc: string;         // ISO 8601
  source_platform: string;       // Partner app ID
  sdk_version: string;           // Semantic version

  indicators: {
    mule_bank_bic?: string;      // SWIFT/BIC code
    mule_account_number?: string; // Account number
    scammer_alias?: string;      // Extracted name
    malicious_urls?: string[];   // Suspicious URLs
  };

  extraction_confidence: number; // 0.0 - 1.0
  document_type: "PDF" | "IMAGE";

  client_verification: {
    extraction_tier: "REGEX_ONLY" | "NER_ENCODER" | "HYBRID";
    sdk_version: string;
    platform_attestation: string | null;
    local_crypto_hash: string;
  };

  client_signature: string;      // RS256 JWT from partner
}

Testing Your Webhook

Use curl to simulate a Gateway alert:

bash
curl -X POST https://your-fms.bank.com.my/api/waspada/alerts \
  -H "Content-Type: application/json" \
  -d '{
    "alert_id": "waspada_alert_test001",
    "version": "2.1",
    "timestamp_utc": "2026-07-08T14:32:01.456Z",
    "urgency": "HIGH",
    "action_requested": "FREEZE_MULE_ACCOUNT",
    "indicators": {
      "target_mule_account": "1234567890",
      "mule_bank_bic": "MBBEMYKL",
      "scammer_alias": "TEST SCAMMER"
    },
    "enrichment": { "domain_analysis": [] },
    "extraction_metadata": {
      "extraction_tier": "REGEX_ONLY",
      "confidence": 0.95,
      "document_type": "IMAGE",
      "processing_latency_ms": 8
    }
  }'

Or use the Waspada Gateway's built-in mock endpoint:

bash
curl -X POST http://localhost:3001/mock/fms-webhook \
  -H "Content-Type: application/json" \
  -d '{ "test": true }'

Waspada AI: Enterprise infrastructure powering public defense.