Skip to main content

Payment Webhook

Verification

Anyone can impersonate webhooks by simply sending a fake webhook to a configured endpoint. Authentication and Originating IP Addresses will help in identifying genuine webhooks.

Authentication

Sent webhooks will have a request header Authentication available which will contain a pre-agreed value (this value will be provided upon setting up the provided endpoints) which can be used to validate the webhooks.

Originating IP Addresses

Webhooks will originate from any of the below IP addresses:

  • 52.215.16.239
  • 54.216.8.72
  • 63.33.109.123
  • 2a05:d028:17:8000::/52

Indicating successful delivery

When a message has been received, a 15 second period is allowed in order to return a 2xx (status code 200-299) response. If this period is elapsed or a different response from 2xx will be returned, the message is treated as failure.

Retry Schedule

Each message is attempted based on the following schedule:

  • Immediately
  • 5 seconds
  • 5 minutes
  • 30 minutes
  • 2 hours
  • 5 hours
  • 10 hours
  • 10 hours (in addition to the previous)

If all attempts fail for a period of 5 days, the endpoint that will be declining the message will be disabled automatically.