Webhooks

Overview

When a user pays for your order, we send you a webhook notification indicating that the order has been successfully paid. You must verify and confirm receipt of the order information.

To validate the signatures of incoming requests, you need to obtain a secret key. The secret key is available in your personal account under the API Keys section.

Processing Webhook Responses

If confirmation is not received, the system will automatically resend the notification every hour. Retries continue for 24 hours — either until a successful response is received or the maximum of 24 attempts is reached.

Your server must return an HTTP status 200 and include the string OK in the response body.

How to decrypt and verify the original

The data is encoded in base64:

{
  "data": "eyJpZCI6ImI4NjY3NTUwLWM4MmUtNDA0Yi04ZTY0LTc0Zjk4NGM2ZmRkMyIsInR5cGUiOiJvcmRlci5wYXJ0aWFsX2NvbXBsZXRlIiwiY3VzdG9tZXJfZW1haWwiOiJpZDEwMkB0YWRib3guY29tIiwib3JkZXJfaWQiOiJ0WDlPSDVVZ2t6Q1NYT3FOODdyRSIsInRvdGFsX2Ftb3VudCI6MiwiY3VycmVuY3lfY29kZSI6IkVVUiIsInBheW1lbnRfc3RhdHVzIjoiQUNDRVBURURfU0VUVExFTUVOVF9JTl9QUk9DRVNTIn0=",
  "sign": "1X+hFWMfdyAWbtcPTlhGG5cnLJVTyjB0jgXBT8sFDXA=",
  "callbackUrl": "https://webhook.site/b972cd25-8118-465b-bdd0-d4c20bb897c7"
}

The sign field is a digital signature that confirms:

The data has not been altered
The request was indeed sent by the expected sender

General Verification Logic

Take the value of the data field from the request in Base64 format (without decoding).
Use the secret key obtained from your personal account.
Generate a signature using the HMAC-SHA256 algorithm:
- Data: the Base64 value of the data field
- Key: the secret key
Encode the resulting HMAC in Base64.
Compare the generated signature with the sign field from the request.

If the signatures match, the request is considered authentic and unaltered.

Example in JavaScript (Node.js)

import crypto from 'crypto';

const secretKey = 'SECRET_KEY';

const data =
  'eyJpZCI6ImI4NjY3NTUwLWM4MmUtNDA0Yi04ZTY0LTc0Zjk4NGM2ZmRkMyIsInR5cGUiOiJvcmRlci5wYXJ0aWFsX2NvbXBsZXRlIiwiY3VzdG9tZXJfZW1haWwiOiJpZDEwMkB0YWRib3guY29tIiwib3JkZXJfaWQiOiJ0WDlPSDVVZ2t6Q1NYT3FOODdyRSIsInRvdGFsX2Ftb3VudCI6MiwiY3VycmVuY3lfY29kZSI6IkVVUiIsInBheW1lbnRfc3RhdHVzIjoiQUNDRVBURURfU0VUVExFTUVOVF9JTl9QUk9DRVNTIn0=';

const expectedSign =
  '1X+hFWMfdyAWbtcPTlhGG5cnLJVTyjB0jgXBT8sFDXA=';

const calculatedSign = crypto
  .createHmac('sha256', secretKey)
  .update(data)
  .digest('base64');

console.log(calculatedSign === expectedSign); // true / false

The decryption of the webhook contains the following data:

{
	"id":"b8667550-c82e-404b-8e64-74f984c6fdd3",
	"customer_email":"[email protected]",
	"order_id":"tX9OH5UgkzCSXOqN87rE",
	"total_amount":2,
	"currency_code":"EUR",
	"payment_status":"ACCEPTED_SETTLEMENT_IN_PROCESS" //Transaction status. Possible values: "ACCEPTED_SETTLEMENT_IN_PROCESS", "COMPLETED", "CANCELED"
}

PreviousGet ob institutions

Last updated 1 day ago

hashtagOverview

hashtagProcessing Webhook Responses

hashtagHow to decrypt and verify the original

hashtagGeneral Verification Logic

hashtagExample in JavaScript (Node.js)

Overview

Processing Webhook Responses

How to decrypt and verify the original

General Verification Logic

Example in JavaScript (Node.js)