🪝Payment Webhook

Be advised that our webhooks are delivered at least once. Implement idempotent operations to safely manage duplicate deliveries.

To receive order status transition updates in a "push" manner you might consider using callbacks.

Setup callback

In order to receive you firstly need to specify the endpoint where you expect a callback to come.

Use add setting endpoint to specify the:

  • callback url [required] - use callback.url setting name

  • callback secret [optional] - use callback.secret setting name

If callback.secret is set up a special header will be passed along with every callback request:

X-Payload-Digest

The value of it is a HmacSHA1 signature of the callback's body created using the callback secret provided by the user.

Ip of callback sender:

3.64.51.60

Callback

The callback is executed as a POST request to the callback.url endpoint provided by the user. If provided endpoint for some reason (bad status code, timeout, etc) can't handle callback it will be retried multiple times.

POST {callback.url}

Content-Type: application/json
X-Payload-Digest: {signature}

{
    "amount": 100.0,
    "balanceAfterPayment": 534.71672,
    "clientOrderId": null,
    "comment": null,
    "createdAt": "2022-01-18T10:16:00.577807Z",
    "currency": "USDT",
    "externalId": "externalId",
    "id": "PMT-18162cf8-ea1c-4210-ab6b-e73286b923df",
    "method": "CRYPTOCOIN",
    "orderId": "ORD-81b84975-4487-43f4-a8ab-57a95ee4e695",
    "orderType": "PAYIN",
    "payUrl": null,
    "payinBankAccount": null,
    "payoutCardNumber": null,
    "payoutCryptoAddress": null,
    "reason": null,
    "status": "SUCCESS",
    "transactionType": "DEBIT",
    "transferTo": null
}

Python code callback verification example

import hashlib
import hmac
import binascii

SECRET = 'secret_value' #value set in cabinet callback settings

def verifySignature(callback_raw_response, callback_headers):
    callback_signature = callback_headers['X-Payload-Digest']
    dig = hmac.new(bytes(SECRET , 'utf-8'), bytes(callback_raw_response , 'utf-8'), hashlib.sha1).digest()
    signature = binascii.hexlify(dig).decode()
    return callback_signature == signature

callback_raw_response = '{"field":"value"}' # use raw unformatted response body
callback_headers = {"X-Payload-Digest": "7e36242a10fd65cbaacd7ff288df9fd3f9e75a46"} # header from response

print(verifySignature(callback_raw_response, callback_headers))

Last updated