In order to receive webhooks from us you should have an endpoint with the ability to receive a "POST" request containing JSON that conforms to the following structure:

{
  "payorId": "string", // this is your own payor id
  "event": "string",   // the event name
  "timestamp": Date,   // the date-time the event was triggered
  "data": {}           // the event payload (see examples)
}

The event and data fields will differ from each event you subscribed to on Add Webhook.

Consuming the Payload

The payload for the event is always an object inside the data property, these can vary based of the subscribed event and are described on the pages bellow.

Validating a Webhook

All Payment Labs webhooks are signed, to ensure your endpoint was called by us, check the User-Agent and x-signature headers.

  • User-Agent is always Payment Labs Webhook
  • x-signature is a composite hash string of the wehbook key and the payload, see the code bellow.
import crypto from 'crypto';

const key = 'hmacKey property from your webhook record';
const hashedString = crypto.createHmac('sha512', key).update(body.data).digest('hex');

📘

Note

Your hmacKey is generated per webhook record and can be found by listing your registered webhooks