Payment Webhook
Verification
Anyone can impersonate webhooks by simply sending a fake webhook to a configured endpoint. Authentication and Originating IP Addresses will help in identifying genuine webhooks.
Authentication
Sent webhooks will have a request header Authentication
available which will contain a pre-agreed value (this value will be provided upon setting up the provided endpoints) which can be used to validate the webhooks.
Originating IP Addresses
Webhooks will originate from any of the below IP addresses:
- 52.215.16.239
- 54.216.8.72
- 63.33.109.123
- 2a05:d028:17:8000::/52
Indicating successful delivery
When a message has been received, a 15 second period is allowed in order to return a 2xx (status code 200-299) response. If this period is elapsed or a different response from 2xx will be returned, the message is treated as failure.
Retry Schedule
Each message is attempted based on the following schedule:
- Immediately
- 5 seconds
- 5 minutes
- 30 minutes
- 2 hours
- 5 hours
- 10 hours
- 10 hours (in addition to the previous)
If all attempts fail for a period of 5 days, the endpoint that will be declining the message will be disabled automatically.