In order to receive webhooks from us you should have an endpoint with the ability to receive a "POST" request containing JSON that conforms to the following structure:

{
  "payorId": "string", // this is your own payor id
  "event": "string",   // the event name
  "timestamp": Date,   // the date-time the event was triggered
  "data": {}           // the event payload (see examples)
}

The event and data fields will differ from each event you subscribed to on Add Webhook.

Consuming the Payload

The payload for the event is always an object inside the data property, these can vary based of the subscribed event and are described on the pages bellow.

Responding to Webhooks

Webhooks are always a POST to an enpoint configured at Add Webhook. This endpoint should always respond with a 2XX response code, you must ensure that error codes shouldn't be returned unless there is an error with your application. Error responses will make the Webhook to be retried, we will try to send the event 3 times.

Validating a Webhook

All Payment Labs webhooks are signed, to ensure your endpoint was called by us, check the User-Agent and x-signature headers.

User-Agent is always Payment Labs Webhook
x-signature is a composite hash string of the wehbook key and the payload, see the code bellow.

import crypto from 'crypto';

const key = 'hmacKey property from your webhook record';
const hashedString = crypto.createHmac('sha512', key).update(body.data).digest('hex');

📘
Note
Your hmacKey is generated per webhook record and can be found by listing your registered webhooks