Webhook

You can manage your webhooks by going to settings and the Webhook tab. You can create, view, and delete your webhooks.

Each notification is signed by the API using the webhook secret:

X-Signature-Value: HMAC_SHA256(body, secret)

On the merchant side, you must recalculate this signature to verify the message integrity:

const crypto = require("crypto");
 
const signature = crypto
  .createHmac("sha256", secret)
  .update(JSON.stringify(body))
  .digest("hex");
 
if (signature !== headers["x-signature-value"]) {
  throw new Error("Invalid signature");
}

Obligation

• Verify the HMAC signature before processing the data.
• Use a dedicated and secure endpoint (HTTPS required).
• Handle replayability (idempotence) for each webhook via the eventId field (optional).
• Set up a queue or asynchronous processing on the merchant side to avoid blocking.