Webhooks

Define webhook rules to your server. The callback URL will receive a POST request with the related object's (e.g. Purchase for purchase.* webhooks) data in body when any of the events is configured to listen for are triggered. The payload object will additionally include an "event_type" field to indicate which event type triggered the webhook and "status" to indicate failure or success of the transaction.

The webhooks can be defined in the developer section of the client account.

Note that, as well as with the rest of dataset, test and live Webhooks are separate; test webhooks will not handle events caused by live Purchases, and vice-versa.

Webhook Authorization

Payloads are signed using asymmetric A.K.A. public-key cryptography to guarantee the authenticity of delivered callbacks. Each callback delivery request includes an X-Signature header field. This field contains a base64-encoded RSA PKCS#1 v1.5 signature of the SHA256 digest of the request body buffer.

You can obtain the public key for Webhook authentication from Webhook.public_key of the corresponding Webhook.

You can obtain the public key for success callback authentication from GET {base_url}/api/v1/public_key/

Please note the provider is not responsible for any financial losses incurred due to not implementing payload signature verification.

See below sample