Appearance
FMS Webhooks
This page documents the JSON payloads your Fraud Management System (FMS) will receive from the Waspada Gateway. These schemas are designed for automated processing — no human intervention required for alert triage.
Overview
Partner SDK → Waspada Gateway → Your FMS Webhook
│
├── RS256 JWT Verification
├── PII Filter (defense-in-depth)
├── RDAP Domain Enrichment
└── FMS Alert FormattingPII-stripped payloads
The WaspadaTelemetryPayload sent by the SDK is stripped of NRIC, phone, and email on the client. The Gateway runs a secondary filter as defense-in-depth. Absolute “zero PII egress” is not claimed — scammer aliases may egress under partner policy (hash / include / omit).
Webhook Endpoint
Configure your FMS to accept POST requests:
POST https://your-fms.bank.com.my/api/waspada/alerts
Content-Type: application/json
Authorization: Bearer <gateway-jwt>FMS Risk Alert Schema
This is the payload your webhook receives:
json
{
"alert_id": "waspada_alert_a1b2c3d4e5f6",
"version": "2.1",
"timestamp_utc": "2026-07-08T14:32:01.456Z",
"source_sdk_version": "0.1.0",
"urgency": "HIGH",
"action_requested": "FREEZE_MULE_ACCOUNT",
"indicators": {
"target_mule_account": "1234567890",
"mule_bank_bic": "MBBEMYKL",
"scammer_alias": "AHMAD BIN ALI",
"malicious_urls": [
"https://scam-site.example.com/pay"
]
},
"enrichment": {
"domain_analysis": [
{
"url": "https://scam-site.example.com/pay",
"registrar": "NameCheap Inc.",
"registration_date": "2026-06-15",
"domain_age_days": 23,
"risk_flag": "NEWLY_REGISTERED"
}
]
},
"extraction_metadata": {
"extraction_tier": "HYBRID",
"confidence": 0.92,
"document_type": "PDF",
"processing_latency_ms": 87
},
"client_verification": {
"extraction_tier": "HYBRID",
"sdk_version": "0.1.0",
"platform_attestation": null,
"local_crypto_hash": "sha256:a1b2c3..."
},
"gateway_signature": "gw_sig_7f8e9d0c1b2a3456"
}Field Reference
Root Fields
| Field | Type | Description |
|---|---|---|
alert_id | string | Unique alert identifier (prefixed waspada_alert_) |
version | string | Alert schema version |
timestamp_utc | string | ISO 8601 timestamp |
urgency | "HIGH" | "MEDIUM" | "LOW" | Alert priority for triage |
action_requested | string | Recommended bank action |
Urgency Levels
| Level | Trigger | Recommended Response Time |
|---|---|---|
| HIGH | Mule account number + bank BIC identified | < 15 minutes |
| MEDIUM | Partial indicators (alias only, or URL only) | < 1 hour |
| LOW | Informational (domain analysis, no account) | Best effort |
Action Codes
| Code | Description |
|---|---|
FREEZE_MULE_ACCOUNT | Suspected mule account identified — freeze immediately |
FLAG_FOR_REVIEW | Partial evidence — queue for manual analyst review |
INFORMATIONAL | Domain intelligence only — no immediate account action |
indicators Object
| Field | Type | Description |
|---|---|---|
target_mule_account | string | undefined | Suspected mule's bank account number |
mule_bank_bic | string | undefined | SWIFT/BIC code of the mule's bank |
scammer_alias | string | undefined | Name/alias extracted from evidence |
malicious_urls | string[] | undefined | Suspicious URLs found in evidence |
What You Will NOT Receive
- Victim's name
- Victim's NRIC / IC number
- Victim's phone number
- Victim's bank account number
- Transaction amounts
- Any other PII
These are stripped at the SDK level before transmission.
enrichment.domain_analysis Array
Each malicious URL is enriched via RDAP lookup:
| Field | Type | Description |
|---|---|---|
url | string | The suspicious URL |
registrar | string | Domain registrar |
registration_date | string | Domain registration date |
domain_age_days | number | Age since registration |
risk_flag | string | Risk indicator |
Risk Flags:
| Flag | Meaning |
|---|---|
NEWLY_REGISTERED | Domain < 30 days old (common scam pattern) |
PRIVACY_PROTECTED | WHOIS privacy enabled (suspicious for financial sites) |
RDAP_UNREACHABLE | RDAP server unavailable (cannot verify) |
Telemetry Payload Schema
This is the raw payload sent by the SDK to the Gateway (before enrichment):
typescript
interface WaspadaTelemetryPayload {
event_id: string; // UUID v4
timestamp_utc: string; // ISO 8601
source_platform: string; // Partner app ID
sdk_version: string; // Semantic version
indicators: {
mule_bank_bic?: string; // SWIFT/BIC code
mule_account_number?: string; // Account number
scammer_alias?: string; // Extracted name
malicious_urls?: string[]; // Suspicious URLs
};
extraction_confidence: number; // 0.0 - 1.0
document_type: "PDF" | "IMAGE";
client_verification: {
extraction_tier: "REGEX_ONLY" | "NER_ENCODER" | "HYBRID";
sdk_version: string;
platform_attestation: string | null;
local_crypto_hash: string;
};
client_signature: string; // RS256 JWT from partner
}Testing Your Webhook
Use curl to simulate a Gateway alert:
bash
curl -X POST https://your-fms.bank.com.my/api/waspada/alerts \
-H "Content-Type: application/json" \
-d '{
"alert_id": "waspada_alert_test001",
"version": "2.1",
"timestamp_utc": "2026-07-08T14:32:01.456Z",
"urgency": "HIGH",
"action_requested": "FREEZE_MULE_ACCOUNT",
"indicators": {
"target_mule_account": "1234567890",
"mule_bank_bic": "MBBEMYKL",
"scammer_alias": "TEST SCAMMER"
},
"enrichment": { "domain_analysis": [] },
"extraction_metadata": {
"extraction_tier": "REGEX_ONLY",
"confidence": 0.95,
"document_type": "IMAGE",
"processing_latency_ms": 8
}
}'Or use the Waspada Gateway's built-in mock endpoint:
bash
curl -X POST http://localhost:3001/mock/fms-webhook \
-H "Content-Type: application/json" \
-d '{ "test": true }'