Skip to main content

Transaction Webhook

Verification

Anyone can impersonate webhooks by simply sending a fake webhook to a configured endpoint. Authentication and Originating IP Addresses will help in identifying genuine webhooks.

Authentication

Sent webhooks will have a request header Authorization available which will contain an encoded key and secret using base64 (basic authentication) . The Key/Username and the Password/Secret will be pre-agreed values (these values will be provided upon setting up the provided endpoints) which can be used to validate the webhooks.

Originating IP Addresses

Webhooks will originate from any of the below IP addresses:

  • 3.77.159.222
  • 18.158.91.100
  • 18.198.98.161

Indicating successful delivery

When a message has been received, a 15 second period is allowed in order to return a 2xx (status code 200-299) response. If this period is elapsed or a different response from 2xx will be returned, the message is treated as failure.