Payment Webhook

Verification

Anyone can impersonate webhooks by simply sending a fake webhook to a configured endpoint. Authentication and Originating IP Addresses will help in identifying genuine webhooks.

Authentication

Sent webhooks will have a request header Authentication available which will contain a pre-agreed value (this value will be provided upon setting up the provided endpoints) which can be used to validate the webhooks.

Originating IP Addresses

Webhooks will originate from any of the below IP addresses:

52.215.16.239
54.216.8.72
63.33.109.123
2a05:d028:17:8000::/52

Indicating successful delivery

When a message has been received, a 15 second period is allowed in order to return a 2xx (status code 200-299) response. If this period is elapsed or a different response from 2xx will be returned, the message is treated as failure.

Retry Schedule

Each message is attempted based on the following schedule:

Immediately
5 seconds
5 minutes
30 minutes
2 hours
5 hours
10 hours
10 hours (in addition to the previous)

If all attempts fail for a period of 5 days, the endpoint that will be declining the message will be disabled automatically.

Payment Webhook

Verification​

Authentication​

Originating IP Addresses​

Indicating successful delivery​

Retry Schedule​

Verification

Authentication

Originating IP Addresses

Indicating successful delivery

Retry Schedule