Transaction Webhook
Verification
Anyone can impersonate webhooks by simply sending a fake webhook to a configured endpoint. Authentication and Originating IP Addresses will help in identifying genuine webhooks.
Authentication
Sent webhooks will have a request header Authorization
available which will contain an encoded key and secret using base64 (basic authentication) . The Key/Username and the Password/Secret will be pre-agreed values (these values will be provided upon setting up the provided endpoints) which can be used to validate the webhooks.
Originating IP Addresses
Webhooks will originate from any of the below IP addresses:
- 3.77.159.222
- 18.158.91.100
- 18.198.98.161
Indicating successful delivery
When a message has been received, a 15 second period is allowed in order to return a 2xx (status code 200-299) response. If this period is elapsed or a different response from 2xx will be returned, the message is treated as failure.